SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795) on Red Hat Enterprise Linux release 8.7 (Ootpa)
Kaushal Shriyan
kaushalshriyan at gmail.com
Wed Jan 24 13:14:07 AEDT 2024
On Tue, Jan 23, 2024 at 9:39 PM Johnnie W Adams <jxadams at ualr.edu> wrote:
> You might find RedHat's CVE page on this useful:
> https://access.redhat.com/security/cve/cve-2023-48795
>
> On Tue, Jan 23, 2024 at 10:04 AM Kaushal Shriyan <kaushalshriyan at gmail.com>
> wrote:
>
>> Hi,
>>
>> I have the SSH Terrapin Prefix Truncation Weakness on Red Hat Enterprise
>> Linux release 8.7 (Ootpa). The details are as follows.
>>
>> # rpm -qa | grep openssh
>> openssh-8.0p1-16.el8.x86_64
>> openssh-askpass-8.0p1-16.el8.x86_64
>> openssh-server-8.0p1-16.el8.x86_64
>> openssh-clients-8.0p1-16.el8.x86_64
>>
>> # cat /etc/redhat-release
>> Red Hat Enterprise Linux release 8.7 (Ootpa)
>> #
>>
>> SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)
>>
>> Synopsis
>> The remote SSH server is vulnerable to a mitm prefix truncation attack.
>> Description
>> The remote SSH server is vulnerable to a man-in-the-middle prefix
>> truncation weakness known as Terrapin.
>> This can allow a remote, man-in-the-middle attacker to bypass integrity
>> checks and downgrade the
>> connection's security.
>> Note that this plugin only checks for remote SSH servers that support
>> either ChaCha20-Poly1305 or CBC
>> with Encrypt-then-MAC and do not support the strict key exchange
>> countermeasures. It does not check for
>> vulnerable software versions.
>> See Also
>> https://terrapin-attack.com/
>>
>> Solution
>> Contact the vendor for an update with the strict key exchange
>> countermeasures or disable the affected
>> algorithms.
>> Risk Factor
>> Medium
>> CVSS v3.0 Base Score
>> 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
>> CVSS v3.0 Temporal Score
>> 5.3 (CVSS:3.0/E:P/RL:O/RC:C)
>> VPR Score
>> 6.9
>> CVSS v2.0 Base Score
>> 5.4 (CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N)
>> CVSS v2.0 Temporal Score
>> 4.2 (CVSS2#E:POC/RL:OF/RC:C)
>> 187315 (10) - SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795) 16
>>
>> References
>> CVE CVE-2023-48795
>>
>> Is there a way to configure /etc/ssh/sshd_config to mitigate SSH Terrapin
>> Prefix Truncation Weakness (CVE-2023-48795)?
>>
>> Please guide me.
>>
>> Thanks in advance.
>>
>> Best Regards,
>>
>> Kaushal
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>
>
> --
> John Adams
> Senior Linux/Middleware Administrator | Information Technology Services
> +1-501-916-3010 | jxadams at ualr.edu | http://ualr.edu/itservices
> *UA Little Rock*
>
Thanks a lot John for a quick and detailed response. Much appreciated. I
have used the below steps to mitigate SSH Terrapin Prefix Truncation
Weakness (CVE-2023-48795) for the benefit of the entire community who will
encounter a similar SSH vulnerability.
#cd /etc/crypto-policies/policies/modules/
#touch CVE-2023-48795.pmod
###content in CVE-2023-48795.pmod file as per below
#vim CVE-2023-48795.pmod
cipher at SSH = -CHACHA20-POLY1305
ssh_etm = 0
#update-crypto-policies --set $(update-crypto-policies
--show):CVE-2023-48795
#update-crypto-policies --show
#systemctl restart sshd.service
#systemctl status sshd.service
I have used https://github.com/RUB-NDS/Terrapin-Scanner. Terrapin
Vulnerability Scanner is a small utility program written in Go, which can
be used to determine the vulnerability of an SSH client or server against
the Terrapin Attack (https://terrapin-attack.com/)
#wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz
#tar -C /usr/local -xzf go1.21.6.linux-amd64.tar.gz
#export PATH=$PATH:/usr/local/go/bin
#go version
#go install github.com/RUB-NDS/Terrapin-Scanner at latest
#cd /root/go/bin/
# ./Terrapin-Scanner --connect localhost --json (Command to validate the
SSH Terrapin Prefix Truncation Weakness CVE-2023-48795 in JSON format)
{
"RemoteAddr": "[::1]:22",
"IsServer": true,
"Banner": "SSH-2.0-OpenSSH_8.0",
"SupportsChaCha20": false,
"SupportsCbcEtm": false,
"SupportsStrictKex": false,
"Vulnerable": false
}
# ./Terrapin-Scanner --connect localhost (Command to validate the SSH
Terrapin Prefix Truncation Weakness CVE-2023-48795)
================================================================================
==================================== Report
====================================
================================================================================
Remote Banner: SSH-2.0-OpenSSH_8.0
ChaCha20-Poly1305 support: false
CBC-EtM support: false
Strict key exchange support: false
The scanned peer supports Terrapin mitigations and can establish
connections that are NOT VULNERABLE to Terrapin. Glad to see this.
For strict key exchange to take effect, both peers must support it.
Note: This tool is provided as is, with no warranty whatsoever. It
determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict
key
exchange.
For more details visit our website available at https://terrapin-attack.com
#
Thanks in advance.
Best Regards,
Kaushal
More information about the openssh-unix-dev
mailing list