Power

 View Only
Expand all | Collapse all

SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

  • 1.  SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Thu January 18, 2024 12:54 PM

    Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

    "The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

    Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

    They have identified all our VIO servers as vulnerable. 

    I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

    Please provide a fix asap.

    Thanks,



    ------------------------------
    Scott Gruber
    ------------------------------


  • 2.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 24, 2024 05:12 PM

    ... same for us. Is there any known workaround available?



    ------------------------------
    Joerg Humm
    ------------------------------



  • 3.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 24, 2024 05:27 PM
    I found out that these entries need to be in /etc/ssh/sshd_config
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512<mailto:umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512>

    restart the sshd service

    then run : sshd -T on the server and the changes should be there
    IBM said they're working on publishing a fix by the end of Feb 2024

    Scott Gruber




  • 4.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 24, 2024 05:28 PM

    then restart sshd - and run sshd -T on the server, these should be only ones there



    ------------------------------
    Scott Gruber
    ------------------------------



  • 5.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Fri January 26, 2024 01:54 AM
    Edited by Joerg Humm Fri January 26, 2024 01:58 AM

    Hello Scott,

    thanks for your support - great job. I implemented it on some partitions and it seem to work.
    However it should be doublechecked whether this workaround can be implemented on VIOs, shouldn't it?

    Best regards,

    Joerg



    ------------------------------
    Joerg Humm
    ------------------------------



  • 6.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Mon January 29, 2024 09:38 AM

    Joerg, 

    Yes the fix can be applied to VIOs as I had a ticket with IBM in working the issue which was based on VIOs.

    Enjoy.



    ------------------------------
    Scott Gruber
    ------------------------------



  • 7.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Tue January 30, 2024 02:00 AM

    Scott, 

    thanks for clarification! I implemented the workaround and rescanned the hosts. Both scanners (our internal and the one from github) are happy now.

    Regards,

    Joerg



    ------------------------------
    Joerg Humm
    ------------------------------



  • 8.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Mon January 29, 2024 10:11 AM

    Is any subset of these options sufficient?



    ------------------------------
    Mackey Morgan
    ------------------------------



  • 9.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Tue January 30, 2024 09:39 AM

    That I dunno. Basically need to be sure the following are disabled :

    ciphers : chacha20-poly1305

    MACs   : umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1



    ------------------------------
    Scott Gruber
    ------------------------------



  • 10.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Thu January 25, 2024 10:29 AM

    Q: If your Security Team has identified your sshd as vulnerable, that implies that they have a scanner tool of some type. Is that something you could make available here? 
    Related: I found via some research that there are terrapin scanners available here: https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.3

    Q: Is it permitted/advisable for Kyndryls to create an account on github.com in order to download these tools?



    ------------------------------
    Mackey Morgan
    ------------------------------



  • 11.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Mon January 29, 2024 09:40 AM

    I believe they paid for the tool from Tenable.



    ------------------------------
    Scott Gruber
    ------------------------------



  • 12.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 31, 2024 11:08 AM

    Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031



    ------------------------------
    Juan Ruiz
    ------------------------------



  • 13.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Thu February 01, 2024 09:13 AM

    IBM Stated Feb 23, 2024 the HMC patch should come out.



    ------------------------------
    Scott Gruber
    ------------------------------



  • 14.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Mon February 12, 2024 12:38 PM

    Hello, I know the channel is for IBM Power topics, but could you please tell me if a patch will be released for IBM z (HMC V2R15M0)?
    Thank you



    ------------------------------
    Cristiano Alves de Oliveira
    ------------------------------



  • 15.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    IBM Champion
    Posted Tue February 13, 2024 07:40 AM

    You could have at least started a new thread...  However I'll try to help.

    About all I know about Z is that it's produced by IBM.  But I have a fairly good grasp about Power systems and HMC's.  In the Power world HMC V2 is stone age old.  Does Z systems have a matrix like these saying what versions of HMC are supported with what versions of firmware?  It is critical that one keeps a level of HMC compatible with the level of firmware on the system(s) that it manages.  Here is a sample chart showing what levels of firmware can support what levels of HMC:  https://esupport.ibm.com/customercare/flrt/matrix?domain=mtm=9105-42A&pkey=pwr

    IBM also has a tool called Fix Level Recommendation Tool (FLRT) but it also seems geared towards Power systems.  In FLRT you tell it what Power system you have, what level of firmware you have, what model and level of HMC you have and what OS's and their level you are running and it will recommend updates to each which are supported by each other.

    Hmm, maybe HMC versions for Z systems is totally different than HMC versions for Power systems.  I'm basing it off of this:  https://www-40.ibm.com/servers/resourcelink/lib03060.nsf/pages/zSystemsFirmwareUpdatesAndFixes?OpenDocument

    Can you find your model and level of HMC at Fix Central and see if there are any fixes?  IBM Support: Fix Central



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 16.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    IBM Champion
    Posted Tue February 13, 2024 07:42 AM

    Upon rereading this I may be wrong about starting a new thread if you were truly concerned about addressing that CVE with your level of HMC.  Sorry.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 17.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed February 14, 2024 07:39 AM
    Hi Robert, thank you so much!

    Best regards,

     

    Cristiano Oliveira


     

     

     






  • 18.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    IBM Champion
    Posted Tue April 02, 2024 12:51 PM

    I know you've all worked around this by modifying a few files.  I come from an IBM i background and I am more comfortable with putting on new releases and fixes than modifying configuration files.  Although we have do this this for ssh ciphers too.

    Any chance that this only affects certain levels of VIOS?  Like, if we're at 3.1.4.31 we're cool?  I just upgraded to that in March.  Not sure if the team doing the scanning scans our vios lpars (or HMC).  They did complain about our AIX.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 19.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Tue April 02, 2024 01:22 PM

    Unfortunately ALL VIOs versions are affected.Basically VIOS is VIO software on top of AIX :)

    Hope Helps,



    ------------------------------
    Scott Gruber
    ------------------------------



  • 20.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    IBM Champion
    Posted Tue April 02, 2024 02:20 PM

    I see there is a Power System HMC patch for CVE-2023-48795.

    PTF MF71685 HMC V10 R3 M1051.1 – for vHMC for x86_64 hypervisors  (5765-VHX)

    PTF MF71686 HMC V10 R3 M1051.1 – for 7063 Hardware or vHMC for PowerVM (5765-HMB)

    ...

    Fixed SSH vulnerability: CVE-2023-48795

    ...

    Found this in the PTF cover letter at Fix Central 

    Already patched one HMC.  Going to patch the other.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 21.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    IBM Champion
    Posted Wed April 03, 2024 07:38 AM

    Fixes for AIX and VIOS are available and documented at:  

    https://www.ibm.com/support/pages/node/7125640



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------