Home » Microsoft revokes insecure SSH keys for Azure DevOps customers

Microsoft revokes insecure SSH keys for Azure DevOps customers

Microsoft revokes insecure SSH keys for Azure DevOps customers

Microsoft has revoked insecure SSH keys that some Azure DevOps generated using a version of the GitKraken git GUI client impacted by an underlying issue found in one of its dependencies.

Azure DevOps is a Microsoft cloud service specifically designed for code development collaboration with an integrated set of features accessible through an integrated development environment (IDE) client or web browser.

The decision to revoke the keys was made after GitKraken developer Axosoft informed Microsoft on September 28 that a bug in the key pair library pseudo-random number generator was causing RSA keys to be generated in double.

If Microsoft had not revoked them, the duplicate SSH keys would have allowed Azure DevOps customers to access other users’ accounts.

“In response to this disclosure, we have conducted a security investigation into the reported vulnerability and identified a small number of users of our service with potentially insecure SSH keys generated by the affected versions of GitKraken,” Microsoft explained.

“We have revoked all affected SSH keys generated by affected versions of GitKraken on 10/11/2021. We will also directly notify people whose SSH keys have been revoked within the next 24 hours.”

Microsoft recommends switching to new SSH keys

Although Azure DevOps customers who have not yet been notified of their SSH key revocation are unlikely to be affected by this vulnerability, Microsoft still advises them to add new SSH public keys to Azure DevOps Services / TFS.

Detailed information on deleting your SSH public keys and adding new ones can be found on the Microsoft support website.

Yesterday, GitHub also announced that it is revoking weak SSH authentication keys generated with versions of GitKraken using the faulty library, resulting in incorrectly duplicate key pairs.

The library flaw was discovered by Axosoft engineer Dan Suceava “who noticed that the key pair regularly generated duplicate RSA keys,” and GitHub senior security engineer Kevin Jones identified the cause.

To protect their users, GitHub has revoked all keys generated by GitKraken and other potentially weak keys created by other git clients using the same version of buggy key pair library.

Bitbucket and GitLab also revoked weak public keys generated by their customers with older versions of GitKraken on Tuesday.


Please enter your comment!
Please enter your name here

Stay on Top - Get the daily news in your inbox

Trending this Week