CloudFlare engineer Ben Cox says the official Github repositories of the UK Government, Spotify, and Python were accessed using likely compromised SSH keys.
Cox says the keys revoked this month are subject to a compromised Debian OpenSSL random number generator seed discovered and fixed in early 2008.
The security bod discovered the vulnerable keys in the hands of users with commit access to high profile respositories after he scraped some 1.4 million SSH keys from Github.
“I used g0tmi1k’s set of keys to compare against what I had in my database, and found a very large amount of users who are still using vulnerable keys, and even worse, have commit access to some really large and wide projects,” Cox says.
“The most scary part of this is that anyone could have just looped through all of these keys just trying to SSH into GitHub to see the banner it gives.
“It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker.”
The risk is that attackers could locate and crack the affected keys and a handful of others that used weak key strengths to insert malcode into popular projects.
Cox has not attempted to gain access to the compromised repositories.
Affected projects include:
- Spotify’s public repos (and any private repos those employees had access to)
- Yandex’s public repos (and any private repos the person had access to)
- Crypto libraries to Python
- Python’s core
- gov.uk public repos (and any private repos the person had access to)
- Couchbase (and any private repos the person had access to)
- A ruby gem that is used on a large amount of CI systems (compromise of that, means compromise of your build server, and possibly your internal network)
Github acknowledged the security risk but says it is a user security issue and not something which would qualify for its bug bounty program.
Cox says that response was acceptable but adds Github should do more to stop users hurting themselves.
He says about two thirds of Github accounts utilise SSH keys. ®