openssh 9.6.p1 to mitigate CVE-2023-48795 - Terrapin attack

[ovacikar]

Hello,

Current openssh 9.5p1 appear vulnerable to  CVE-2023-48795, I was able to compile openssh 9.6.p1 using the same instructions (except using newest openssl-dev

http://tinycorelinux.net/11.x/x86/tcz/src/openssh/compile_openssh

Should I start preparing a submission, or the original maintainer (juanito) can rather do it?

[patrikg]

Why not offload juanito, and submit a extension, he is doing a lot.

[ovacikar]

Well I found out the install did not provide the etc/init.d/openssh script. I can run it from bootlocal.sh using existing keys.

So will need to revisit building a tcz.

[Rich]

Hi patrikg
That's up to Juanito to decide, not you.

[Juanito]

I’m happy to do it, but it’ll be in a couple of weeks time..

[ovacikar]

Was able to fix this with sshd_config update https://terrapin-attack.com/#question-answer

Code: [Select]

ciphers aes256-gcm@openssh.com
before:

Code: [Select]

Remote Banner: SSH-2.0-OpenSSH_9.3

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.after:

Code: [Select]

Remote Banner: SSH-2.0-OpenSSH_9.3

ChaCha20-Poly1305 support:   false
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer supports Terrapin mitigations and can establish
connections that are NOT VULNERABLE to Terrapin. Glad to see this.
For strict key exchange to take effect, both peers must support it.

[ovacikar]

FYI there is another CVE-2024-6387 affecting openssh. It has been fixed 9.8p1

For those in need urgently, the build script http://tinycorelinux.net/11.x/armv6/tcz/src/openssh/ works fine.