Reg SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

Hi Experts, We are using Alma Linux 8.8 in our software, and we are seeing below vulnerability reported through Nessus Scan(Tenable)

Kindly let us know if there is any solution that you can suggest us to address/mask this vulnerability.


The following Red Hat article has the details including mitigation:

Thank You.

Looks like this vulnerability is officially fixed now in openssh-8.0p1-19.el8_9.2.x86_64.rpm


Correct me if Im wrong, but from what you posted its clear that openssh 8.7p1-34 is not vulnerable? Im on this version.
Zrzut ekranu 2024-01-31 o 18.21.03

As per the below links, I see it is fixed in openssh-8.0p1-19.el8_9.2.x86_64.rpm

You may run Nessus Scan (Tenable) in your environment and confirm the same.

1 Like

Hi, @wojciechxtx did you rerun the Nessus scan with openssh-8.0p1-19.el8_9.2.x86_64.rpm? Was the vulnerability reported for this version? please confirm

@Gurpreet no I did not run it yet. I have it in my backlog for today/tonight, so will post results here.

I’m also on Alma 9, trying to figure out the fix for this. I see a fix published for Alma 8:
but I haven’t seen it for Alma 9.
It appears that openssh 8.7p1-34.el9 was published in July
which is before this CVE, so I assume it’s still not fixed in Alma 9?

@skynet have no idea about 8.7 version; Im on 9.6 (compiled from source by myself) and Terrapin is no thing for me :smile:

Ah ok, I was just going based on what you had installed in that screenshot. Maybe compiling from source is the way to go for now

1 Like

The screenshot was right at the time of writing. I have since updated OpenSSH.

If you want not to be vulnerable to Terrapin than answer is yes.

PS. Bear in mind that Im on physical server not desktop so there is huge need for my setup not to be vulnerable.

Did a little more research and found what seems like the simplest solution here: security - How do you mitigate the Terrapin SSH attack? - Unix & Linux Stack Exchange

Add this file /etc/crypto-policies/policies/modules/TERRAPIN.pmod:

cipher@ssh = -CHACHA20*
ssh_etm = 0

then run

update-crypto-policies --set DEFAULT:TERRAPIN

and reboot.

I went with this since I don’t need openssh 9.6 yet