Allan speaks truth.
Looks like the OpenSSH team addressed the Terrapin attack hot on the
heels of the CVE ...
https://www.openssh.com/releasenotes.html
(9.6 is discussed at the top of the release notes)
OpenSSH 9.6p1 is in the Chicory collection.
(Was troublesome because of forced upgrades presumably not related to
CVE-2023-48795, but did eventually build.)
I've got it built for Linux and FreeBSD with more to come. There's a
z/OS build here ...
https://github.com/ZOSOpenTools/opensshport/releases/download/STABLE_opensshport_1953/openssh-9.6p1.20240109_105141.zos.pax.Z
For more info about the vulnerability, see here ...
https://nvd.nist.gov/vuln/detail/CVE-2023-48795
-- R; <><
On 1/25/24 09:20, Allan Staller wrote:
Classification: Confidential
It does take some time for the fixes to be developed, tested and distributed.
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Jousma, David
Sent: Thursday, January 25, 2024 8:04 AM
To: [email protected]
Subject: New SSH vulnerability
[CAUTION: This Email is from outside the Organization. Unless you trust the
sender, Don't click links or open attachments as it may be a Phishing email,
which can steal your Information and compromise your Computer.]
Looks like a fairly new SSH vulnerability has surfaced...Anyone figure out a
local remediation for this yet? As per usual, IBM is mum. There is no
fixing PTF yet based on what I see in ResourceLink.
QID
38913
Severity
HIGH
Definition
SSH Prefix Truncation Vulnerability (Terrapin)
Description
The Terrapin attack exploits weaknesses in the SSH transport layer protocol in
combination with newer cryptographic algorithms and encryption modes introduced
by OpenSSH over 10 years ago. Since then, these have been adopted by a wide
range of SSH implementations, therefore affecting a majority of current
implementations.
QID Detection Logic (Unauthenticated):
This detection attempts to start the SSH key exchange process and examines
whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM
Algorithm is active. It subsequently verifies whether Strict Key Exchange is
enabled. If a target is identified as vulnerable, it indicates that the target
supports either of the vulnerable algorithms and lacks support for Strict Key
Exchange.
Solution
Customers are advised to refer to the individual vendor advisory for their
operating system and install the patch released by the vendor. For more
information regarding the vulnerability, please refer to Terrapin Vulnerability
Patch:
Following are links for downloading patches to fix the vulnerabilities:
OpenWall Security Advisory
Impact
Successful exploitation of the vulnerability may allow an attacker to downgrade
the security of an SSH connection when using SSH extension negotiation. The
impact in practice heavily depends on the supported extensions. Most commonly,
this will impact the security of client authentication when using an RSA public
key.
CVEs
CVE-2023-48795
Results
SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22
ChaCha20-Poly1305 Algorithm Support: True
CBC-EtM Algorithm Support: False
Strict Key Exchange algorithm enabled: False
EVM Report
Yes
EVM Risk Score
4.9
Host Details
Host
192.168.30.2
IP Address
192.168.30.2
Operating System
IBM OS/390
Tier
T3
FQDN
Port
22
Protocol
tcp
Dave Jousma
Vice President | Director, Technology Engineering
This e-mail transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it in any
manner. If you are not the intended recipient, any disclosure, copying,
distribution or use of the contents of this information is prohibited. Please
reply to the message immediately by informing the sender that the message was
misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
::DISCLAIMER::
________________________________
The contents of this e-mail and any attachment(s) are confidential and intended
for the named recipient(s) only. E-mail transmission is not guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or may contain viruses in transmission.
The e mail and its contents (with or without referred errors) shall therefore
not attach any liability on the originator or HCL or its affiliates. Views or
opinions, if any, presented in this email are solely those of the author and
may not necessarily reflect the views or opinions of HCL or its affiliates. Any
form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written
consent of authorized representative of HCL is strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. Before opening any email and/or attachments, please check them for
viruses and other defects.
________________________________
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
