On Tue, Jan 23, 2024 at 9:39 PM Johnnie W Adams <jxadams@xxxxxxxx> wrote: > You might find RedHat's CVE page on this useful: > https://access.redhat.com/security/cve/cve-2023-48795 > > On Tue, Jan 23, 2024 at 10:04 AM Kaushal Shriyan <kaushalshriyan@xxxxxxxxx> > wrote: > >> Hi, >> >> I have the SSH Terrapin Prefix Truncation Weakness on Red Hat Enterprise >> Linux release 8.7 (Ootpa). The details are as follows. >> >> # rpm -qa | grep openssh >> openssh-8.0p1-16.el8.x86_64 >> openssh-askpass-8.0p1-16.el8.x86_64 >> openssh-server-8.0p1-16.el8.x86_64 >> openssh-clients-8.0p1-16.el8.x86_64 >> >> # cat /etc/redhat-release >> Red Hat Enterprise Linux release 8.7 (Ootpa) >> # >> >> SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795) >> >> Synopsis >> The remote SSH server is vulnerable to a mitm prefix truncation attack. >> Description >> The remote SSH server is vulnerable to a man-in-the-middle prefix >> truncation weakness known as Terrapin. >> This can allow a remote, man-in-the-middle attacker to bypass integrity >> checks and downgrade the >> connection's security. >> Note that this plugin only checks for remote SSH servers that support >> either ChaCha20-Poly1305 or CBC >> with Encrypt-then-MAC and do not support the strict key exchange >> countermeasures. It does not check for >> vulnerable software versions. >> See Also >> https://terrapin-attack.com/ >> >> Solution >> Contact the vendor for an update with the strict key exchange >> countermeasures or disable the affected >> algorithms. >> Risk Factor >> Medium >> CVSS v3.0 Base Score >> 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) >> CVSS v3.0 Temporal Score >> 5.3 (CVSS:3.0/E:P/RL:O/RC:C) >> VPR Score >> 6.9 >> CVSS v2.0 Base Score >> 5.4 (CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N) >> CVSS v2.0 Temporal Score >> 4.2 (CVSS2#E:POC/RL:OF/RC:C) >> 187315 (10) - SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795) 16 >> >> References >> CVE CVE-2023-48795 >> >> Is there a way to configure /etc/ssh/sshd_config to mitigate SSH Terrapin >> Prefix Truncation Weakness (CVE-2023-48795)? >> >> Please guide me. >> >> Thanks in advance. >> >> Best Regards, >> >> Kaushal >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > > -- > John Adams > Senior Linux/Middleware Administrator | Information Technology Services > +1-501-916-3010 | jxadams@xxxxxxxx | http://ualr.edu/itservices > *UA Little Rock* > Thanks a lot John for a quick and detailed response. Much appreciated. I have used the below steps to mitigate SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795) for the benefit of the entire community who will encounter a similar SSH vulnerability. #cd /etc/crypto-policies/policies/modules/ #touch CVE-2023-48795.pmod ###content in CVE-2023-48795.pmod file as per below #vim CVE-2023-48795.pmod cipher@SSH = -CHACHA20-POLY1305 ssh_etm = 0 #update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795 #update-crypto-policies --show #systemctl restart sshd.service #systemctl status sshd.service I have used https://github.com/RUB-NDS/Terrapin-Scanner. Terrapin Vulnerability Scanner is a small utility program written in Go, which can be used to determine the vulnerability of an SSH client or server against the Terrapin Attack (https://terrapin-attack.com/) #wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz #tar -C /usr/local -xzf go1.21.6.linux-amd64.tar.gz #export PATH=$PATH:/usr/local/go/bin #go version #go install github.com/RUB-NDS/Terrapin-Scanner@latest #cd /root/go/bin/ # ./Terrapin-Scanner --connect localhost --json (Command to validate the SSH Terrapin Prefix Truncation Weakness CVE-2023-48795 in JSON format) { "RemoteAddr": "[::1]:22", "IsServer": true, "Banner": "SSH-2.0-OpenSSH_8.0", "SupportsChaCha20": false, "SupportsCbcEtm": false, "SupportsStrictKex": false, "Vulnerable": false } # ./Terrapin-Scanner --connect localhost (Command to validate the SSH Terrapin Prefix Truncation Weakness CVE-2023-48795) ================================================================================ ==================================== Report ==================================== ================================================================================ Remote Banner: SSH-2.0-OpenSSH_8.0 ChaCha20-Poly1305 support: false CBC-EtM support: false Strict key exchange support: false The scanned peer supports Terrapin mitigations and can establish connections that are NOT VULNERABLE to Terrapin. Glad to see this. For strict key exchange to take effect, both peers must support it. Note: This tool is provided as is, with no warranty whatsoever. It determines the vulnerability of a peer by checking the supported algorithms and support for strict key exchange. It may falsely claim a peer to be vulnerable if the vendor supports countermeasures other than strict key exchange. For more details visit our website available at https://terrapin-attack.com # Thanks in advance. Best Regards, Kaushal _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
