How to detect weak SSH keys affected by CVE-2021-41117



  • Recently, GitLab[1] and GitKraken[2] notified users about a vulnerability in GitKraken version v in range 7.6.0. Those versions are affected by CVE-2021-41117[3] and therefore, generate weak SSH keys. Now, as an administrator of a GitLab instance, I want to know, if any of my users use weak keys generated by a vulnerable GitKraken version.

    I'd be grateful for any tips on how to tell if a keypair is weak, having a public key.

    [1] https://about.gitlab.com/blog/2021/10/11/notice-for-gitkraken-users-with-gitlab/
    [2] https://www.gitkraken.com/blog/weak-ssh-key-fix
    [3] https://nvd.nist.gov/vuln/detail/CVE-2021-41117



  • https://nvd.nist.gov/vuln/detail/CVE-2021-41117 explains that the affected versions GitCraken used a weak random number generator to generate key pairs. Therefore, it is possible that identical keypairs may have been created by two different users using the software. So, it is possible that someone else may have the same key pair as one of your users. If that person notices that their public key is the same as your user's, then this means that they also know your user's private key, because these are also the same.

    A bad actor may even use the weak RNG to generate large numbers of keypairs, in hopes of finding one that matches one in use.

    If someone else knows the private key of one of your users (by way of the above), then they can use this to authenticate with your system as that user.

    So, to answer your question:

    I'd be grateful for any tips on how to tell if a keypair is weak, having a public key.

    All keypairs generated by affected versions of GitCraken are weak, because the underlying RNG used to generate these keypairs was weak.

    Unfortunately, there is no way for you to know if someone else has the same keypair as one of your uses as a result of this bug; or if a bad actor may exploit this bug to generate the same keypair as one of your users in the future. Additionally, the advisory does not describe a particular way of identifying a keypair that was created by the weak RNG. This is why the advisory is recommending that users cease using any keys that were generated with affected versions of GitCraken, revoke these keys, and replace these keys with newly generated ones. But, this requires action on the part of the user that created the keypair.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2