Re: New SSH vulnerability
1) /etc/ssh/zos_ssh_config CiphersSource ICSF This has nothing to do with the CVE, and I wouldn't use this. The default (CPACF) uses significantly less CPU than going through ICSF. Same goes for MACsSource 2. /etc/ssh/sshd_config Algorithms to exclude: Ciphers #remove the following: chacha20-poly1...@openssh.com Macs # remove the following: hmac-sha2-512-...@openssh.com hmac-sha2-256-...@openssh.com hmac-sha1-...@openssh.com <mailto:hmac-sha1-...@openssh.com> hmac-md5-...@openssh.com 3. You should do the same Cipher and MACs changes in /etc/ssh/ssh_config, otherwise you are only protecting SSHD connections from this MITM attack. FYI - information on configuring OpenSSH can be found here: https://coztoolkit.com/docs/pt-quick-inst/pto-inst-cpacf.html#pto-inst-cpacf-enable Kirk Wolf Dovetailed Technologies http:// <http://dovetail.com>coztoolkit.com On Thu, Jan 25, 2024, at 10:26 AM, Jousma, David wrote: > We were able to remediate the situation by the following ssh config changes. >Thanks to our invisible friend kekronbekron for pointing me to some > additional helpful information. > > > EDIT /etc/ssh/zos_ssh_config > > Command ===> > > ** * > > 01 # set crypto options > > 02 CiphersSource ICSF > > > > > > EDIT /etc/ssh/sshd_config > > Command ===> > > 000102 Subsystem sftp /usr/lib/ssh/sftp-server > > 000103 > > 000104 #set crypto options > > 000105 Ciphers > aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com<mailto:aes128-...@openssh.com>,aes256-...@openssh.com<mailto:aes256-...@openssh.com> > > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: Jousma, David > Date: Thursday, January 25, 2024 at 9:04 AM > To: IBM-Main (ibm-main@listserv.ua.edu) > Subject: New SSH vulnerability > Looks like a fairly new SSH vulnerability has surfaced…Anyone figure out a > local remediation for this yet? As per usual, IBM is mum. There is no > fixing PTF yet based on what I see in ResourceLink. > > > QID > > 38913 > > Severity > > HIGH > > Definition > > SSH Prefix Truncation Vulnerability (Terrapin) > > Description > > The Terrapin attack exploits weaknesses in the SSH transport layer protocol > in combination with newer cryptographic algorithms and encryption modes > introduced by OpenSSH over 10 years ago. Since then, these have been adopted > by a wide range of SSH implementations, therefore affecting a majority of > current implementations. > > > > > > QID Detection Logic (Unauthenticated): > > > > This detection attempts to start the SSH key exchange process and examines > whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM > Algorithm is active. It subsequently verifies whether Strict Key Exchange is > enabled. If a target is identified as vulnerable, it indicates that the > target supports either of the vulnerable algorithms and lacks support for > Strict Key Exchange. > > Solution > > Customers are advised to refer to the individual vendor advisory for their > operating system and install the patch released by the vendor. For more > information regarding the vulnerability, please refer to Terrapin > Vulnerability > > > > Patch: > > > > Following are links for downloading patches to fix the vulnerabilities: > > OpenWall Security Advisory > > Impact > > Successful exploitation of the vulnerability may allow an attacker to > downgrade the security of an SSH connection when using SSH extension > negotiation. The impact in practice heavily depends on the supported > extensions. Most commonly, this will impact the security of client > authentication when using an RSA public key. > > CVEs > > CVE-2023-48795 > > Results > > SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22 > > ChaCha20-Poly1305 Algorithm Support: True > > CBC-EtM Algorithm Support: False > > Strict Key Exchange algorithm enabled: False > > EVM Report > > Yes > > EVM Risk Score > > 4.9 > > Host Details > > Host > > 192.168.30.2 > > IP Address > > 192.168.30.2 > > Operating System > > IBM OS/390 > > Tier > > T3 > > FQDN > > > > Port > > 22 > > Protocol > > tcp > > > > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > > This e-mail transmission contains information that is confid
Re: New SSH vulnerability
We were able to remediate the situation by the following ssh config changes. Thanks to our invisible friend kekronbekron for pointing me to some additional helpful information. EDIT /etc/ssh/zos_ssh_config Command ===> ** * 01 # set crypto options 02 CiphersSource ICSF EDIT /etc/ssh/sshd_config Command ===> 000102 Subsystem sftp /usr/lib/ssh/sftp-server 000103 000104 #set crypto options 000105 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com<mailto:aes128-...@openssh.com>,aes256-...@openssh.com<mailto:aes256-...@openssh.com> Dave Jousma Vice President | Director, Technology Engineering From: Jousma, David Date: Thursday, January 25, 2024 at 9:04 AM To: IBM-Main (ibm-main@listserv.ua.edu) Subject: New SSH vulnerability Looks like a fairly new SSH vulnerability has surfaced…Anyone figure out a local remediation for this yet? As per usual, IBM is mum. There is no fixing PTF yet based on what I see in ResourceLink. QID 38913 Severity HIGH Definition SSH Prefix Truncation Vulnerability (Terrapin) Description The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago. Since then, these have been adopted by a wide range of SSH implementations, therefore affecting a majority of current implementations. QID Detection Logic (Unauthenticated): This detection attempts to start the SSH key exchange process and examines whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM Algorithm is active. It subsequently verifies whether Strict Key Exchange is enabled. If a target is identified as vulnerable, it indicates that the target supports either of the vulnerable algorithms and lacks support for Strict Key Exchange. Solution Customers are advised to refer to the individual vendor advisory for their operating system and install the patch released by the vendor. For more information regarding the vulnerability, please refer to Terrapin Vulnerability Patch: Following are links for downloading patches to fix the vulnerabilities: OpenWall Security Advisory Impact Successful exploitation of the vulnerability may allow an attacker to downgrade the security of an SSH connection when using SSH extension negotiation. The impact in practice heavily depends on the supported extensions. Most commonly, this will impact the security of client authentication when using an RSA public key. CVEs CVE-2023-48795 Results SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22 ChaCha20-Poly1305 Algorithm Support: True CBC-EtM Algorithm Support: False Strict Key Exchange algorithm enabled: False EVM Report Yes EVM Risk Score 4.9 Host Details Host 192.168.30.2 IP Address 192.168.30.2 Operating System IBM OS/390 Tier T3 FQDN Port 22 Protocol tcp Dave Jousma Vice President | Director, Technology Engineering This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: New SSH vulnerability
Allan speaks truth. Looks like the OpenSSH team addressed the Terrapin attack hot on the heels of the CVE ... https://www.openssh.com/releasenotes.html (9.6 is discussed at the top of the release notes) OpenSSH 9.6p1 is in the Chicory collection. (Was troublesome because of forced upgrades presumably not related to CVE-2023-48795, but did eventually build.) I've got it built for Linux and FreeBSD with more to come. There's a z/OS build here ... https://github.com/ZOSOpenTools/opensshport/releases/download/STABLE_opensshport_1953/openssh-9.6p1.20240109_105141.zos.pax.Z For more info about the vulnerability, see here ... https://nvd.nist.gov/vuln/detail/CVE-2023-48795 -- R; <>< On 1/25/24 09:20, Allan Staller wrote: Classification: Confidential It does take some time for the fixes to be developed, tested and distributed. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jousma, David Sent: Thursday, January 25, 2024 8:04 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: New SSH vulnerability [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don't click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Looks like a fairly new SSH vulnerability has surfaced...Anyone figure out a local remediation for this yet? As per usual, IBM is mum. There is no fixing PTF yet based on what I see in ResourceLink. QID 38913 Severity HIGH Definition SSH Prefix Truncation Vulnerability (Terrapin) Description The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago. Since then, these have been adopted by a wide range of SSH implementations, therefore affecting a majority of current implementations. QID Detection Logic (Unauthenticated): This detection attempts to start the SSH key exchange process and examines whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM Algorithm is active. It subsequently verifies whether Strict Key Exchange is enabled. If a target is identified as vulnerable, it indicates that the target supports either of the vulnerable algorithms and lacks support for Strict Key Exchange. Solution Customers are advised to refer to the individual vendor advisory for their operating system and install the patch released by the vendor. For more information regarding the vulnerability, please refer to Terrapin Vulnerability Patch: Following are links for downloading patches to fix the vulnerabilities: OpenWall Security Advisory Impact Successful exploitation of the vulnerability may allow an attacker to downgrade the security of an SSH connection when using SSH extension negotiation. The impact in practice heavily depends on the supported extensions. Most commonly, this will impact the security of client authentication when using an RSA public key. CVEs CVE-2023-48795 Results SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22 ChaCha20-Poly1305 Algorithm Support: True CBC-EtM Algorithm Support: False Strict Key Exchange algorithm enabled: False EVM Report Yes EVM Risk Score 4.9 Host Details Host 192.168.30.2 IP Address 192.168.30.2 Operating System IBM OS/390 Tier T3 FQDN Port 22 Protocol tcp Dave Jousma Vice President | Director, Technology Engineering This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of rep
Re: New SSH vulnerability
Classification: Confidential It does take some time for the fixes to be developed, tested and distributed. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jousma, David Sent: Thursday, January 25, 2024 8:04 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: New SSH vulnerability [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don't click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Looks like a fairly new SSH vulnerability has surfaced...Anyone figure out a local remediation for this yet? As per usual, IBM is mum. There is no fixing PTF yet based on what I see in ResourceLink. QID 38913 Severity HIGH Definition SSH Prefix Truncation Vulnerability (Terrapin) Description The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago. Since then, these have been adopted by a wide range of SSH implementations, therefore affecting a majority of current implementations. QID Detection Logic (Unauthenticated): This detection attempts to start the SSH key exchange process and examines whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM Algorithm is active. It subsequently verifies whether Strict Key Exchange is enabled. If a target is identified as vulnerable, it indicates that the target supports either of the vulnerable algorithms and lacks support for Strict Key Exchange. Solution Customers are advised to refer to the individual vendor advisory for their operating system and install the patch released by the vendor. For more information regarding the vulnerability, please refer to Terrapin Vulnerability Patch: Following are links for downloading patches to fix the vulnerabilities: OpenWall Security Advisory Impact Successful exploitation of the vulnerability may allow an attacker to downgrade the security of an SSH connection when using SSH extension negotiation. The impact in practice heavily depends on the supported extensions. Most commonly, this will impact the security of client authentication when using an RSA public key. CVEs CVE-2023-48795 Results SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22 ChaCha20-Poly1305 Algorithm Support: True CBC-EtM Algorithm Support: False Strict Key Exchange algorithm enabled: False EVM Report Yes EVM Risk Score 4.9 Host Details Host 192.168.30.2 IP Address 192.168.30.2 Operating System IBM OS/390 Tier T3 FQDN Port 22 Protocol tcp Dave Jousma Vice President | Director, Technology Engineering This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
New SSH vulnerability
Looks like a fairly new SSH vulnerability has surfaced…Anyone figure out a local remediation for this yet? As per usual, IBM is mum. There is no fixing PTF yet based on what I see in ResourceLink. QID 38913 Severity HIGH Definition SSH Prefix Truncation Vulnerability (Terrapin) Description The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago. Since then, these have been adopted by a wide range of SSH implementations, therefore affecting a majority of current implementations. QID Detection Logic (Unauthenticated): This detection attempts to start the SSH key exchange process and examines whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM Algorithm is active. It subsequently verifies whether Strict Key Exchange is enabled. If a target is identified as vulnerable, it indicates that the target supports either of the vulnerable algorithms and lacks support for Strict Key Exchange. Solution Customers are advised to refer to the individual vendor advisory for their operating system and install the patch released by the vendor. For more information regarding the vulnerability, please refer to Terrapin Vulnerability Patch: Following are links for downloading patches to fix the vulnerabilities: OpenWall Security Advisory Impact Successful exploitation of the vulnerability may allow an attacker to downgrade the security of an SSH connection when using SSH extension negotiation. The impact in practice heavily depends on the supported extensions. Most commonly, this will impact the security of client authentication when using an RSA public key. CVEs CVE-2023-48795 Results SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22 ChaCha20-Poly1305 Algorithm Support: True CBC-EtM Algorithm Support: False Strict Key Exchange algorithm enabled: False EVM Report Yes EVM Risk Score 4.9 Host Details Host 192.168.30.2 IP Address 192.168.30.2 Operating System IBM OS/390 Tier T3 FQDN Port 22 Protocol tcp Dave Jousma Vice President | Director, Technology Engineering This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
