WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack  (Read 1891 times)

Offline ovacikar

  • Jr. Member
  • **
  • Posts: 65
openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack
« on: February 08, 2024, 02:44:31 PM »
Hello,

Current openssh 9.5p1 appear vulnerable to  CVE-2023-48795, I was able to compile openssh 9.6.p1 using the same instructions (except using newest openssl-dev

http://tinycorelinux.net/11.x/x86/tcz/src/openssh/compile_openssh

Should I start preparing a submission, or the original maintainer (juanito) can rather do it?

Offline patrikg

  • Wiki Author
  • Hero Member
  • *****
  • Posts: 723
Re: openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack
« Reply #1 on: February 08, 2024, 02:47:36 PM »
Why not offload juanito, and submit a extension, he is doing a lot.

Offline ovacikar

  • Jr. Member
  • **
  • Posts: 65
Re: openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack
« Reply #2 on: February 08, 2024, 02:52:19 PM »
Well I found out the install did not provide the etc/init.d/openssh script. I can run it from bootlocal.sh using existing keys.

So will need to revisit building a tcz.

Online Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11702
Re: openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack
« Reply #3 on: February 08, 2024, 03:04:18 PM »
Hi patrikg
That's up to Juanito to decide, not you.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14851
Re: openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack
« Reply #4 on: February 08, 2024, 05:56:41 PM »
I’m happy to do it, but it’ll be in a couple of weeks time..

Offline ovacikar

  • Jr. Member
  • **
  • Posts: 65
Re: openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack
« Reply #5 on: February 08, 2024, 09:27:12 PM »
Was able to fix this with sshd_config update https://terrapin-attack.com/#question-answer

Code: [Select]
ciphers aes256-gcm@openssh.com
before:
Code: [Select]
Remote Banner: SSH-2.0-OpenSSH_9.3

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.
after:
Code: [Select]
Remote Banner: SSH-2.0-OpenSSH_9.3

ChaCha20-Poly1305 support:   false
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer supports Terrapin mitigations and can establish
connections that are NOT VULNERABLE to Terrapin. Glad to see this.
For strict key exchange to take effect, both peers must support it.

Offline ovacikar

  • Jr. Member
  • **
  • Posts: 65
Re: openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack
« Reply #6 on: July 05, 2024, 09:03:26 AM »
FYI there is another CVE-2024-6387 affecting openssh. It has been fixed 9.8p1

For those in need urgently, the build script http://tinycorelinux.net/11.x/armv6/tcz/src/openssh/ works fine.