Terrapin Mitigation: "strict-kex" #445
Labels
feature request
A request for a new feature
Milestone
Comments
|
According to OpenSSH PROTOCOL - section
However, it does not specify which sequence number to reset - the incoming our outgoing. Bear in mind that the NEWKEYS message is "symmetrical" - if we sent one, then an incoming one is due any time and vice versa. Since the sequence number is part of the encryption (if this is not the 1st NEWKEYS) then we need to know whether we sent the request or are responding to it. |
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
|
Working on it (trying to at least...) |
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 21, 2023
Strict key exchange resets the sequence number of the corresponding direction after it has received a SSH_MSG_NEWKEYS message. I. e. when receiving SSH_MSG_NEWKEYS from the remote peer reset the incoming sequence number, when sending SSH_MSG_NEWKEYS reset the outgoing sequence number. The SSH_MSG_NEWKEYS itself is handled under the old sequence numbers (sequence number 0 will be the first message after SSH_MSG_NEWKEYS). |
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
|
I pretty much figured this out on my own - the comment was just a reminder for myself to figure the correct implementation. Thanks for your answer - it puts me more at ease to know that others have reached the same conclusion I did. |
|
Yeah, I expected that kind of response, given that I replied 6 hours later. If any additional questions pop up during the implementation of "strict kex", just let me know. I'm most likely going to be able to answer them. |
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
|
Thx - will do |
|
See #446 - still working on it (polishing it) but it seems promising |
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 22, 2023
renovate bot
referenced
this issue
in sheldonhull/az-pr
Dec 25, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | golang.org/x/crypto | `v0.16.0` -> `v0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | copilot:all ### GitHub Vulnerability Alerts #### [CVE-2023-48795](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) ### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. --- ### Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details ##### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ##### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ##### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ##### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) - [https://nvd.nist.gov/vuln/detail/CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) - [https://github.com/apache/mina-sshd/issues/445](https://togithub.com/apache/mina-sshd/issues/445) - [https://github.com/hierynomus/sshj/issues/916](https://togithub.com/hierynomus/sshj/issues/916) - [https://github.com/janmojzis/tinyssh/issues/81](https://togithub.com/janmojzis/tinyssh/issues/81) - [https://github.com/mwiede/jsch/issues/457](https://togithub.com/mwiede/jsch/issues/457) - [https://github.com/paramiko/paramiko/issues/2337](https://togithub.com/paramiko/paramiko/issues/2337) - [https://github.com/proftpd/proftpd/issues/456](https://togithub.com/proftpd/proftpd/issues/456) - [https://github.com/NixOS/nixpkgs/pull/275249](https://togithub.com/NixOS/nixpkgs/pull/275249) - [https://github.com/libssh2/libssh2/pull/1291](https://togithub.com/libssh2/libssh2/pull/1291) - [https://github.com/mwiede/jsch/pull/461](https://togithub.com/mwiede/jsch/pull/461) - [https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0](https://togithub.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0) - [https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab](https://togithub.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5](https://togithub.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5) - [https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3](https://togithub.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3) - [https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951](https://togithub.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951) - [https://access.redhat.com/security/cve/cve-2023-48795](https://access.redhat.com/security/cve/cve-2023-48795) - [https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/) - [https://bugs.gentoo.org/920280](https://bugs.gentoo.org/920280) - [https://bugzilla.redhat.com/show_bug.cgi?id=2254210](https://bugzilla.redhat.com/show_bug.cgi?id=2254210) - [https://bugzilla.suse.com/show_bug.cgi?id=1217950](https://bugzilla.suse.com/show_bug.cgi?id=1217950) - [https://crates.io/crates/thrussh/versions](https://crates.io/crates/thrussh/versions) - [https://forum.netgate.com/topic/184941/terrapin-ssh-attack](https://forum.netgate.com/topic/184941/terrapin-ssh-attack) - [https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6) - [https://github.com/TeraTermProject/teraterm/releases/tag/v5.1](https://togithub.com/TeraTermProject/teraterm/releases/tag/v5.1) - [https://github.com/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) - [https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22](https://togithub.com/connectbot/sshlib/compare/2.2.21...2.2.22) - [https://github.com/drakkan/sftpgo/releases/tag/v2.5.6](https://togithub.com/drakkan/sftpgo/releases/tag/v2.5.6) - [https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42](https://togithub.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42) - [https://github.com/erlang/otp/releases/tag/OTP-26.2.1](https://togithub.com/erlang/otp/releases/tag/OTP-26.2.1) - [https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25](https://togithub.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25) - [https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15](https://togithub.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15) - [https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16](https://togithub.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16) - [https://github.com/openssh/openssh-portable/commits/master](https://togithub.com/openssh/openssh-portable/commits/master) - [https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/master/RELEASE_NOTES) - [https://github.com/rapier1/hpn-ssh/releases](https://togithub.com/rapier1/hpn-ssh/releases) - [https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst](https://togithub.com/ronf/asyncssh/blob/develop/docs/changes.rst) - [https://github.com/ronf/asyncssh/tags](https://togithub.com/ronf/asyncssh/tags) - [https://github.com/warp-tech/russh](https://togithub.com/warp-tech/russh) - [https://github.com/warp-tech/russh/releases/tag/v0.40.2](https://togithub.com/warp-tech/russh/releases/tag/v0.40.2) - [https://gitlab.com/libssh/libssh-mirror/-/tags](https://gitlab.com/libssh/libssh-mirror/-/tags) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/) - [https://matt.ucc.asn.au/dropbear/CHANGES](https://matt.ucc.asn.au/dropbear/CHANGES) - [https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC) - [https://news.ycombinator.com/item?id=38684904](https://news.ycombinator.com/item?id=38684904) - [https://news.ycombinator.com/item?id=38685286](https://news.ycombinator.com/item?id=38685286) - [https://oryx-embedded.com/download/#changelog](https://oryx-embedded.com/download/#changelog) - [https://security-tracker.debian.org/tracker/CVE-2023-48795](https://security-tracker.debian.org/tracker/CVE-2023-48795) - [https://security-tracker.debian.org/tracker/source-package/libssh2](https://security-tracker.debian.org/tracker/source-package/libssh2) - [https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg) - [https://security-tracker.debian.org/tracker/source-package/trilead-ssh2](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2) - [https://thorntech.com/cve-2023-48795-and-sftp-gateway/](https://thorntech.com/cve-2023-48795-and-sftp-gateway/) - [https://twitter.com/TrueSkrillor/status/1736774389725565005](https://twitter.com/TrueSkrillor/status/1736774389725565005) - [https://ubuntu.com/security/CVE-2023-48795](https://ubuntu.com/security/CVE-2023-48795) - [https://www.bitvise.com/ssh-server-version-history](https://www.bitvise.com/ssh-server-version-history) - [https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html) - [https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update) - [https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc) - [https://www.netsarang.com/en/xshell-update-history/](https://www.netsarang.com/en/xshell-update-history/) - [https://www.openssh.com/openbsd.html](https://www.openssh.com/openbsd.html) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) - [https://www.openwall.com/lists/oss-security/2023/12/18/2](https://www.openwall.com/lists/oss-security/2023/12/18/2) - [https://www.openwall.com/lists/oss-security/2023/12/20/3](https://www.openwall.com/lists/oss-security/2023/12/20/3) - [https://www.paramiko.org/changelog.html](https://www.paramiko.org/changelog.html) - [https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/) - [https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/) - [https://www.terrapin-attack.com](https://www.terrapin-attack.com) - [http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html) - [http://www.openwall.com/lists/oss-security/2023/12/18/3](http://www.openwall.com/lists/oss-security/2023/12/18/3) - [http://www.openwall.com/lists/oss-security/2023/12/19/5](http://www.openwall.com/lists/oss-security/2023/12/19/5) - [http://www.openwall.com/lists/oss-security/2023/12/20/3](http://www.openwall.com/lists/oss-security/2023/12/20/3) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-45x7-px36-x8w8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. This protocol weakness was also fixed in OpenSSH 9.6. #### Severity Unknown #### References - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2402) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/sheldonhull/az-pr). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
lgoldstein
pushed a commit
to lgoldstein/mina-sshd
that referenced
this issue
Dec 29, 2023
|
Is this to solve the CVE-2023-48795 vulnerability? When will the new patch version be released? |
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 3, 2024
Implements the OpenSSH "strict KEX" protocol extension.[1] If both parties in a an SSH connection announce support for strict KEX in the initial KEX_INIT message, strict KEX is active; otherwise it isn't. With strict KEX active, there must be only KEX-related messages during the initial key exchange (no IGNORE or DEBUG messages are allowed), and the KEX_INIT message must be the first one to have been received after the initial version exchange. If these conditions are violated, the connection is terminated. Strict KEX also resets message sequence numbers to zero after each NEW_KEYS message sent or received. [1] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 3, 2024
Add tests for the restricted message handling if strict KEX is active: * Initial KEX fails if KEX_INIT is not the first message * Initial KEX fails if there are spurious messages like DEBUG during KEX * Re-KEX succeeds even if there are spurious messages
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 3, 2024
Run an Apache MINA sshd client against OpenSSH servers that do have or do not have strict KEX.
Yes.
When it's ready. |
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 4, 2024
Add tests for the restricted message handling if strict KEX is active: * Initial KEX fails if KEX_INIT is not the first message * Initial KEX fails if there are spurious messages like DEBUG during KEX * Re-KEX succeeds even if there are spurious messages
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 4, 2024
Run an Apache MINA sshd client against OpenSSH servers that do have or do not have strict KEX.
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 4, 2024
Implements the OpenSSH "strict KEX" protocol extension.[1] If both parties in a an SSH connection announce support for strict KEX in the initial KEX_INIT message, strict KEX is active; otherwise it isn't. With strict KEX active, there must be only KEX-related messages during the initial key exchange (no IGNORE or DEBUG messages are allowed), and the KEX_INIT message must be the first one to have been received after the initial version exchange. If these conditions are violated, the connection is terminated. Strict KEX also resets message sequence numbers to zero after each NEW_KEYS message sent or received. [1] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 4, 2024
Add tests for the restricted message handling if strict KEX is active: * Initial KEX fails if KEX_INIT is not the first message * Initial KEX fails if there are spurious messages like DEBUG during KEX * Re-KEX succeeds even if there are spurious messages
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 4, 2024
Run an Apache MINA sshd client against OpenSSH servers that do have or do not have strict KEX.
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 5, 2024
Implements the OpenSSH "strict KEX" protocol extension.[1] If both parties in a an SSH connection announce support for strict KEX in the initial KEX_INIT message, strict KEX is active; otherwise it isn't. With strict KEX active, there must be only KEX-related messages during the initial key exchange (no IGNORE or DEBUG messages are allowed), and the KEX_INIT message must be the first one to have been received after the initial version exchange. If these conditions are violated, the connection is terminated. Strict KEX also resets message sequence numbers to zero after each NEW_KEYS message sent or received. [1] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 5, 2024
Add tests for the restricted message handling if strict KEX is active: * Initial KEX fails if KEX_INIT is not the first message * Initial KEX fails if there are spurious messages like DEBUG during KEX * Re-KEX succeeds even if there are spurious messages
tomaswolf
added a commit
to tomaswolf/mina-sshd
that referenced
this issue
Jan 5, 2024
Run an Apache MINA sshd client against OpenSSH servers that do have or do not have strict KEX.
|
Is this problem/fix on server side ? we are using only sshd clinet , do we need to do something to mitigate the problem ? |
|
The fix (strict kex protocol extension) is required on both sides to be active, see the terrapin website for more details on mitigations. If you remove the affected ciphers this would be effective no matter on which side you do it. |
|
Hello, I want to ask - is there any plan to backport the fix into the 2.9 branch? |
mend-for-github-com bot
referenced
this issue
in DelineaXPM/dsv-k8s-sidecar
Jan 15, 2024
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | golang.org/x/crypto | `v0.14.0` -> `v0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-48795](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) ### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. --- ### Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. This protocol weakness was also fixed in OpenSSH 9.6. #### Severity Unknown #### References - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2402) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details ##### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ##### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ##### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ##### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) - [https://nvd.nist.gov/vuln/detail/CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) - [https://github.com/PowerShell/Win32-OpenSSH/issues/2189](https://togithub.com/PowerShell/Win32-OpenSSH/issues/2189) - [https://github.com/apache/mina-sshd/issues/445](https://togithub.com/apache/mina-sshd/issues/445) - [https://github.com/cyd01/KiTTY/issues/520](https://togithub.com/cyd01/KiTTY/issues/520) - [https://github.com/hierynomus/sshj/issues/916](https://togithub.com/hierynomus/sshj/issues/916) - [https://github.com/janmojzis/tinyssh/issues/81](https://togithub.com/janmojzis/tinyssh/issues/81) - [https://github.com/mwiede/jsch/issues/457](https://togithub.com/mwiede/jsch/issues/457) - [https://github.com/paramiko/paramiko/issues/2337](https://togithub.com/paramiko/paramiko/issues/2337) - [https://github.com/proftpd/proftpd/issues/456](https://togithub.com/proftpd/proftpd/issues/456) - [https://github.com/ssh-mitm/ssh-mitm/issues/165](https://togithub.com/ssh-mitm/ssh-mitm/issues/165) - [https://github.com/NixOS/nixpkgs/pull/275249](https://togithub.com/NixOS/nixpkgs/pull/275249) - [https://github.com/libssh2/libssh2/pull/1291](https://togithub.com/libssh2/libssh2/pull/1291) - [https://github.com/mwiede/jsch/pull/461](https://togithub.com/mwiede/jsch/pull/461) - [https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0](https://togithub.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0) - [https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab](https://togithub.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5](https://togithub.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5) - [https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3](https://togithub.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3) - [https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951](https://togithub.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951) - [https://access.redhat.com/security/cve/cve-2023-48795](https://access.redhat.com/security/cve/cve-2023-48795) - [https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/) - [https://bugs.gentoo.org/920280](https://bugs.gentoo.org/920280) - [https://bugzilla.redhat.com/show_bug.cgi?id=2254210](https://bugzilla.redhat.com/show_bug.cgi?id=2254210) - [https://bugzilla.suse.com/show_bug.cgi?id=1217950](https://bugzilla.suse.com/show_bug.cgi?id=1217950) - [https://crates.io/crates/thrussh/versions](https://crates.io/crates/thrussh/versions) - [https://filezilla-project.org/versions.php](https://filezilla-project.org/versions.php) - [https://forum.netgate.com/topic/184941/terrapin-ssh-attack](https://forum.netgate.com/topic/184941/terrapin-ssh-attack) - [https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6) - [https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta](https://togithub.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta) - [https://github.com/TeraTermProject/teraterm/releases/tag/v5.1](https://togithub.com/TeraTermProject/teraterm/releases/tag/v5.1) - [https://github.com/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) - [https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22](https://togithub.com/connectbot/sshlib/compare/2.2.21...2.2.22) - [https://github.com/drakkan/sftpgo/releases/tag/v2.5.6](https://togithub.com/drakkan/sftpgo/releases/tag/v2.5.6) - [https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42](https://togithub.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42) - [https://github.com/erlang/otp/releases/tag/OTP-26.2.1](https://togithub.com/erlang/otp/releases/tag/OTP-26.2.1) - [https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25](https://togithub.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25) - [https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15](https://togithub.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15) - [https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16](https://togithub.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16) - [https://github.com/openssh/openssh-portable/commits/master](https://togithub.com/openssh/openssh-portable/commits/master) - [https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/master/RELEASE_NOTES) - [https://github.com/rapier1/hpn-ssh/releases](https://togithub.com/rapier1/hpn-ssh/releases) - [https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst](https://togithub.com/ronf/asyncssh/blob/develop/docs/changes.rst) - [https://github.com/ronf/asyncssh/tags](https://togithub.com/ronf/asyncssh/tags) - [https://github.com/warp-tech/russh](https://togithub.com/warp-tech/russh) - [https://github.com/warp-tech/russh/releases/tag/v0.40.2](https://togithub.com/warp-tech/russh/releases/tag/v0.40.2) - [https://gitlab.com/libssh/libssh-mirror/-/tags](https://gitlab.com/libssh/libssh-mirror/-/tags) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://help.panic.com/releasenotes/transmit5/](https://help.panic.com/releasenotes/transmit5/) - [https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/) - [https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/) - [https://matt.ucc.asn.au/dropbear/CHANGES](https://matt.ucc.asn.au/dropbear/CHANGES) - [https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC) - [https://news.ycombinator.com/item?id=38684904](https://news.ycombinator.com/item?id=38684904) - [https://news.ycombinator.com/item?id=38685286](https://news.ycombinator.com/item?id=38685286) - [https://news.ycombinator.com/item?id=38732005](https://news.ycombinator.com/item?id=38732005) - [https://nova.app/releases/#v11.8](https://nova.app/releases/#v11.8) - [https://oryx-embedded.com/download/#changelog](https://oryx-embedded.com/download/#changelog) - [https://roumenpetrov.info/secsh/#news20231220](https://roumenpetrov.info/secsh/#news20231220) - [https://security-tracker.debian.org/tracker/CVE-2023-48795](https://security-tracker.debian.org/tracker/CVE-2023-48795) - [https://security-tracker.debian.org/tracker/source-package/libssh2](https://security-tracker.debian.org/tracker/source-package/libssh2) - [https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg) - [https://security-tracker.debian.org/tracker/source-package/trilead-ssh2](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2) - [https://security.gentoo.org/glsa/202312-16](https://security.gentoo.org/glsa/202312-16) - [https://security.gentoo.org/glsa/202312-17](https://security.gentoo.org/glsa/202312-17) - [https://security.netapp.com/advisory/ntap-20240105-0004/](https://security.netapp.com/advisory/ntap-20240105-0004/) - [https://thorntech.com/cve-2023-48795-and-sftp-gateway/](https://thorntech.com/cve-2023-48795-and-sftp-gateway/) - [https://twitter.com/TrueSkrillor/status/1736774389725565005](https://twitter.com/TrueSkrillor/status/1736774389725565005) - [https://ubuntu.com/security/CVE-2023-48795](https://ubuntu.com/security/CVE-2023-48795) - [https://winscp.net/eng/docs/history#6.2.2](https://winscp.net/eng/docs/history#6.2.2) - [https://www.bitvise.com/ssh-client-version-history#933](https://www.bitvise.com/ssh-client-version-history#933) - [https://www.bitvise.com/ssh-server-version-history](https://www.bitvise.com/ssh-server-version-history) - [https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html) - [https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update) - [https://www.debian.org/security/2023/dsa-5586](https://www.debian.org/security/2023/dsa-5586) - [https://www.debian.org/security/2023/dsa-5588](https://www.debian.org/security/2023/dsa-5588) - [https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc) - [https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508) - [https://www.netsarang.com/en/xshell-update-history/](https://www.netsarang.com/en/xshell-update-history/) - [https://www.openssh.com/openbsd.html](https://www.openssh.com/openbsd.html) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) - [https://www.openwall.com/lists/oss-security/2023/12/18/2](https://www.openwall.com/lists/oss-security/2023/12/18/2) - [https://www.openwall.com/lists/oss-security/2023/12/20/3](https://www.openwall.com/lists/oss-security/2023/12/20/3) - [https://www.paramiko.org/changelog.html](https://www.paramiko.org/changelog.html) - [https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/) - [https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/) - [https://www.terrapin-attack.com](https://www.terrapin-attack.com) - [https://www.theregister.com/2023/12/20/terrapin_attack_ssh](https://www.theregister.com/2023/12/20/terrapin_attack_ssh) - [https://www.vandyke.com/products/securecrt/history.txt](https://www.vandyke.com/products/securecrt/history.txt) - [http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html) - [http://www.openwall.com/lists/oss-security/2023/12/18/3](http://www.openwall.com/lists/oss-security/2023/12/18/3) - [http://www.openwall.com/lists/oss-security/2023/12/19/5](http://www.openwall.com/lists/oss-security/2023/12/19/5) - [http://www.openwall.com/lists/oss-security/2023/12/20/3](http://www.openwall.com/lists/oss-security/2023/12/20/3) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-45x7-px36-x8w8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41Mi4wIiwidXBkYXRlZEluVmVyIjoiMzcuMTA4LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Hello,
is Mina or any contributor planning to work on adding the new OpenSSH protocol extension "strict-KEX" for mitigating Terrapin attacks?
Also did somebody check for the counter overflow conditions mentioned in the advanced counter manupulation section of the paper?
BTW: when implementing config options, I would do it like jssh which allows to define a "required" mode, so you can set up a listener which rejects any handshakes without this protection. (if you want to make "supported" configurable I dont care, seems to be not a big compat problem if implemented correctly)
In addition to resetting the counters the strict mode probbaly also should reject the "filler" debug and ignore mesages - I hope PMC received detailed guidance from the Terrapin team?
Motivation
Users want to mitigate the new protocol attac which can only work if client and server are extended.
Alternatives considered
Turning off the ciphers is an interop problem.
Additional context
https://terrapin-attack.com
The text was updated successfully, but these errors were encountered: