[TheRecord] Azure, GitHub, GitLab, BitBucket mass-revoke SSH keys following bug report

Microsoft, GitHub, GitLab, and BitBucket —four of today’s largest code hosting portals— have initiated mass revocations of SSH keys on Monday after the discovery of a vulnerability in a popular Git software client named GitKraken.

The mass revocations come at the request of Arizona-based software company Axosoft, which developed GitKraken and is the one who found the security flaw in its own software.

In a blog post on Monday, Axosoft explained that versions 7.6.x, 7.7.x, and 8.0.0 of its GitKraken app used a library named “keypair” to generated SSH keys to allow developers to connect their GitKraken app to accounts on Azure DevOps, GitHub, GitLab, BitBucket, or other remote Git source code hosting servers.

But Axosoft said that older versions of this library generated RSA keys with low entropy, meaning that attackers could use the library, under certain conditions, to generate duplicate SSH keys.

The attacker could then use these keys to access a user’s account and steal proprietary source code.

Axosoft said that as soon as it learned of the issue, it replaced the keypair library inside the GitKraken app, released version 8.0.1, and notified the four platforms.

Shortly after Axosoft’s blog post, the security teams of Azure DevOpsGitHubGitLab, and Atlassian’s BitBucket have started revoking all SSH keys connected to accounts where the GitKraken app was used to synchronize source code.

The four platforms are now asking users to generate new SSH keys using a different Git client or using an updated GitKraken app.

Both Axosoft and the four platforms said they haven’t found evidence that attackers used this bug to compromise accounts — so far.

In addition, GitHub also asked the developers of other software applications —not only Git clients— to check and see if they are using the vulnerable keypair library in their apps, and update their code accordingly. The keypair library also received a security update on Monday.

The post Azure, GitHub, GitLab, BitBucket mass-revoke SSH keys following bug report appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Microsoft shares guidance on new Windows Print Spooler vulnerability

Microsoft is sharing mitigation guidance on a new Windows Print Spooler vulnerability tracked as CVE-2021-34481 that was disclosed tonight. […] Source: Read More (BleepingComputer)

Read More

[TheRecord] ‘No indication’ Russia has cracked down on ransomware gangs, top FBI official says

The FBI’s No. 2 on Tuesday said the agency has seen no evidence that the Russian government has moved against ransomware gangs operating on its soil. “Based on what we’ve seen, I would say there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in […]

Read More

[HackerNews] Report: Danish Secret Service Helped NSA Spy On European Politicians

All posts, HackerNews

The U.S. National Security Agency (NSA) used a partnership with Denmark’s foreign and military intelligence service to eavesdrop on top politicians and high-ranking officials in Germany, Sweden, Norway, and France by tapping into Danish underwater internet cables between 2012 and 2014. Details of the covert wiretapping were broken by Copenhagen-based public broadcaster DR over the weekend based […]

Read More