Windows stemcells are vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795

[amhuber]

A simple fix would be to add this to the sshd_config in https://github.com/cloudfoundry/stembuild/blob/master/modules/BOSH.SSH/BOSH.SSH.psm1#L132-L143:

Ciphers -chacha20-poly1305@openssh.com

Presumably something like this (first two lines are already present in the default file):

# Ciphers and keying
#RekeyLimit default none
Ciphers -chacha20-poly1305@openssh.com

I've confirmed with https://github.com/RUB-NDS/Terrapin-Scanner that after making that config change sshd is reported as not vulnerable.

[amhuber]

Just FYI, it doesn't look like moving to the most recent OpenSSH version will fully fix the issue since they haven't moved to the 9.6 version yet per PowerShell/Win32-OpenSSH#2189.

[rkoster]

Should also be changed in: https://github.com/cloudfoundry/bosh-psmodules/blob/master/modules/BOSH.SSH/BOSH.SSH.psm1#L132

[tgauth]

Just FYI, it doesn't look like moving to the most recent OpenSSH version will fully fix the issue since they haven't moved to the 9.6 version yet per PowerShell/Win32-OpenSSH#2189.

Just to clarify, the fix for Win32-OpenSSH is included in version 9.5 (this was released the same day as OpenSSH-Portable's 9.6 but only has this patch not the other 9.6 changes, hence the versioning difference).

[amhuber]

Will a fix for this be available in the next build for this month's patching?

[selzoc]

Will a fix for this be available in the next build for this month's patching?

Hi @amhuber, that's the goal! I'm currently working on this change :)

[selzoc]

The fixes for
stembuild: 202056e
and
bosh-psmodules: cloudfoundry/bosh-psmodules@5f08cb2

have been committed, and will work their way through our pipelines. I did run the Terrapin-Scanner above after making this change and I also saw it reported as not vulnerable on a test system.

[amhuber]

Awesome, thank you.