Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows stemcells are vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795 #25

Closed
amhuber opened this issue Jan 16, 2024 · 7 comments
Closed

Windows stemcells are vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795 #25

amhuber opened this issue Jan 16, 2024 · 7 comments
Assignees
@jpalermo

Comments

@amhuber
Copy link

amhuber commented Jan 16, 2024

A simple fix would be to add this to the sshd_config in https://github.com/cloudfoundry/stembuild/blob/master/modules/BOSH.SSH/BOSH.SSH.psm1#L132-L143:

Ciphers -chacha20-poly1305@openssh.com

Presumably something like this (first two lines are already present in the default file):

# Ciphers and keying
#RekeyLimit default none
Ciphers -chacha20-poly1305@openssh.com

I've confirmed with https://github.com/RUB-NDS/Terrapin-Scanner that after making that config change sshd is reported as not vulnerable.
@amhuber
Copy link
Author

amhuber commented Jan 16, 2024

Just FYI, it doesn't look like moving to the most recent OpenSSH version will fully fix the issue since they haven't moved to the 9.6 version yet per PowerShell/Win32-OpenSSH#2189.

@rkoster
Copy link
Contributor

rkoster commented Jan 18, 2024

Should also be changed in: https://github.com/cloudfoundry/bosh-psmodules/blob/master/modules/BOSH.SSH/BOSH.SSH.psm1#L132

@rkoster rkoster moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Jan 18, 2024
@tgauth
Copy link

tgauth commented Jan 29, 2024

Just FYI, it doesn't look like moving to the most recent OpenSSH version will fully fix the issue since they haven't moved to the 9.6 version yet per PowerShell/Win32-OpenSSH#2189.

Just to clarify, the fix for Win32-OpenSSH is included in version 9.5 (this was released the same day as OpenSSH-Portable's 9.6 but only has this patch not the other 9.6 changes, hence the versioning difference).

@amhuber
Copy link
Author

amhuber commented Feb 8, 2024

Will a fix for this be available in the next build for this month's patching?

@selzoc
Copy link
Member

selzoc commented Feb 8, 2024

Will a fix for this be available in the next build for this month's patching?

Hi @amhuber, that's the goal! I'm currently working on this change :)

@selzoc
Copy link
Member

selzoc commented Feb 8, 2024

The fixes for
stembuild: 202056e
and
bosh-psmodules: cloudfoundry/bosh-psmodules@5f08cb2

have been committed, and will work their way through our pipelines. I did run the Terrapin-Scanner above after making this change and I also saw it reported as not vulnerable on a test system.

@amhuber
Copy link
Author

amhuber commented Feb 8, 2024

Awesome, thank you.

@amhuber amhuber closed this as completed Feb 8, 2024
@github-project-automation github-project-automation bot moved this from Pending Merge | Prioritized to Done in Foundational Infrastructure Working Group Feb 8, 2024
@AbelHu AbelHu mentioned this issue Mar 1, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jpalermo jpalermo

Labels
None yet
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jpalermo @rkoster @selzoc @amhuber @tgauth