-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mod_sftp is affected by "Terrapin" Prefix Truncation Attacks in SSH Specification (CVE-2023-48795) #1760
Comments
Yes, the SSH protocol supported by the mod_sftp module is affected by the Terrapin attack. |
…SH protocol attack (CVE-2023-48795).
…SSH protocol attack (CVE-2023-48795).
I find that the OpenSSH 9.6 release notes contain a very nice description of this Terrapin attack:
I will be implementing the same mitigations in mod_sftp. |
…SSH protocol attack (CVE-2023-48795).
…SSH protocol attack (CVE-2023-48795).
…SSH protocol attack (CVE-2023-48795). (#1762)
Fixes merged to |
Will there be new 1.3.8/1.3.9rc releases in the near future, or would it be worth my while to issue a patched update in Fedora in the meantime? |
@pghmcfc I made new releases soon after merging these changes in, expecting that distributions (and users) would be wanting/expecting them: |
@Castaglia, great, thanks! Should have looked at the main site first before asking! |
The new kex CBC and ETM aren’t a problem. CBC was replaced with CTR years ago. Legacy clients using CBC are also using E&M, still secure. CTR+ETM is broken by Terrapin but there’s no known way to exploit it. All MAC go away as we switch everything to AEAD. The Register: SSH shaken, not stirred by Terrapin vulnerability
chacha20 is the problem. Even with the new kex
|
I'm wondering what would be the best approach to take for "Enterprise" distributions, e.g. proftpd in Fedora EPEL for RHEL 7 and 8 (EPEL for RHEL 9 has 1.3.8 so that's just a simple upgrade). I currently have patched versions of 1.3.5e and 1.3.6e in those really old distributions (patched for all previous security issues and some other bugs). I try to stick with the same base release version of proftpd in each distribution so as to avoid any possible regressions or behaviour changes when users receive updates. However, this one looks to be a bit more complicated. The existing mod_sftp in 1.3.6e doesn't even support extension negotiation after the initial key exchange so it's already lacking some countermeasures that Terrapin is attacking. I thought about just using mod_sftp from 1.3.8b but that uses some other proftpd APIs (e.g. pr_snprintf, pr_random_next, pr_config_alloc) that are not available in 1.3.6. I can get 1.3.8b to build OK on these old systems but is it worth the risk of incompatibility? I guess another possibility would be to document that mod_sftp is not enabled by default, note the issues with the implementation as-is and leave it at that? |
@pghmcfc Interestingly, the Terrapin attack is best for downgrading security by specifically interfering with that extension negotiation message; this |
@severach I've been wondering how to make mod_sftp able to require "strict KEX" support from clients, but in a conditional manner. Using However, if we know the "fixed" (updated) client versions that implement "strict KEX", then maybe we can use
This way, we know that if e.g. ChaChaPoly, or the ETM MACs, are used by these clients, the usage is done with the "strict KEX" mitigations in use. One can already use |
Is mod_sftp affected by the TerraPin attack, i.e. https://nvd.nist.gov/vuln/detail/CVE-2023-48795 ?
The text was updated successfully, but these errors were encountered: