Reg SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

Kiran · January 29, 2024, 7:07pm

Hi Experts, We are using Alma Linux 8.8 in our software, and we are seeing below vulnerability reported through Nessus Scan(Tenable)

Kindly let us know if there is any solution that you can suggest us to address/mask this vulnerability.

Thanks,
Kiran

toracat · January 29, 2024, 8:54pm

The following Red Hat article has the details including mitigation:

https://access.redhat.com/security/cve/cve-2023-48795

Kiran · January 31, 2024, 4:57pm

Thank You.

Looks like this vulnerability is officially fixed now in openssh-8.0p1-19.el8_9.2.x86_64.rpm

Regards,
Kiran

wojciechxtx · January 31, 2024, 5:20pm

Correct me if Im wrong, but from what you posted its clear that openssh 8.7p1-34 is not vulnerable? Im on this version.
Zrzut ekranu 2024-01-31 o 18.21.03

Kiran · January 31, 2024, 5:38pm

As per the below links, I see it is fixed in openssh-8.0p1-19.el8_9.2.x86_64.rpm

https://access.redhat.com/security/cve/cve-2023-48795
https://access.redhat.com/errata/RHSA-2024:0606

You may run Nessus Scan (Tenable) in your environment and confirm the same.

Gurpreet · February 9, 2024, 5:43am

Hi, @wojciechxtx did you rerun the Nessus scan with openssh-8.0p1-19.el8_9.2.x86_64.rpm? Was the vulnerability reported for this version? please confirm
Thanks

wojciechxtx · February 9, 2024, 12:24pm

@Gurpreet no I did not run it yet. I have it in my backlog for today/tonight, so will post results here.

skynet · February 18, 2024, 3:55pm

I’m also on Alma 9, trying to figure out the fix for this. I see a fix published for Alma 8:
https://errata.almalinux.org/8/ALSA-2024-0606.html
but I haven’t seen it for Alma 9.
It appears that openssh 8.7p1-34.el9 was published in July https://almalinux.pkgs.org/9/almalinux-baseos-x86_64/openssh-8.7p1-34.el9.x86_64.rpm.html
which is before this CVE, so I assume it’s still not fixed in Alma 9?

wojciechxtx · February 18, 2024, 4:19pm

@skynet have no idea about 8.7 version; Im on 9.6 (compiled from source by myself) and Terrapin is no thing for me

skynet · February 18, 2024, 4:28pm

Ah ok, I was just going based on what you had installed in that screenshot. Maybe compiling from source is the way to go for now

wojciechxtx · February 18, 2024, 4:34pm

The screenshot was right at the time of writing. I have since updated OpenSSH.

If you want not to be vulnerable to Terrapin than answer is yes.

PS. Bear in mind that Im on physical server not desktop so there is huge need for my setup not to be vulnerable.

skynet · February 18, 2024, 9:27pm

Did a little more research and found what seems like the simplest solution here: security - How do you mitigate the Terrapin SSH attack? - Unix & Linux Stack Exchange

Add this file /etc/crypto-policies/policies/modules/TERRAPIN.pmod:

cipher@ssh = -CHACHA20*
ssh_etm = 0

then run

update-crypto-policies --set DEFAULT:TERRAPIN

and reboot.

I went with this since I don’t need openssh 9.6 yet

Topic		Replies	Views
Warning 1usr/sbin/suexec` Support	0	307	July 5, 2022
Secure SSH and change ssh port 22 Security	5	219	April 4, 2024
Openssh-server-8.0p1-16.el8 update and HostKey	9	968	March 17, 2023
"Allow root SSH login with password" does not work Support	14	211	April 5, 2024
AlmaLinux 9 - Server Key Generation was skipped because of a failed condition check Support	2	1721	April 21, 2023

Reg SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

Related Topics