In what could have been considered a cryptographic supply chain security incident in the making, GitLab and other providers have blocked known, weak SSH keys generated through GitKraken.
On October 11, the Axosoft team behind GitKraken, a cross-platform Git GUI client, said in a blog post that the organization uncovered a security flaw in an open source SSH generation library – keypair – used by the client.
According to GitLab, the software was generating identical RSA keys used in SSH, leading to weak random number generation. The critical vulnerability, discovered by Axosoft’s Ross Wheeler, is tracked as CVE-2021-41117 and has been issued a CVSS severity score of 8.7.
The cryptographic library was implemented in versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken, distributed between May 12 and September 27, 2021.
According to the team, the vulnerability resulted in weak, public SSH security keys being generated.
“Weak keys are created with low entropy, meaning there is a higher probability of key duplication,” GitKraken says.
Users of the software, therefore, may have been generating weak keys and then implemented them encrypt connections to the GitHub, GitLab, BitBucket, and Azure DevOps repositories.
In GitKraken’s disclosure, the team says the issue has been resolved as of version 8.0.1 by removing the old dependency and replacing it with a new key generation library.
Users should upgrade to the latest build, but GitKraken cautions that if keys were generated through the past, vulnerable versions of the GUI, they still must be replaced – a software upgrade alone is not enough.
Reaction
GitKraken reached out to Git hosting providers that could be impacted further down the chain to warn them of the security flaw. The teams have since worked together to invalidate weak SSH keys found in active use.
GitLab has emailed customers to make them aware of the issue and has asked self-managed customers to revoke old, GitKraken-generated SSH keys immediately.
Bitbucket has also launched an investigation and has both revoked and blocked keys, preventing them from being used in the future.
The Azure DevOps team found a small subset of users “with potentially insecure SSH keys” and has revoked them, informing impacted users in the process.
“Where possible, the affected keys are now permanently blocked by the Git hosting service providers,” GitKraken says. “We will continue to work toward the highest security standards possible for all of our users.”
As of now, no repository has found any evidence of exploitation in the wild.
For instructions on how to generate new keys, GitKraken has provided separate guides for GitHub, GitLab, Bitbucket, and Azure DevOps.
Source: https://portswigger.net/daily-swig/git-providers-revoke-weak-keys-generated-in-vulnerable-gitkraken-crypto-library