Power

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

... same for us. Is there any known workaround available?

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

then restart sshd - and run sshd -T on the server, these should be only ones there

------------------------------
Scott Gruber

Original Message:
Sent: Wed January 24, 2024 05:26 PM
From: Scott Gruber
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

I found out that these entries need to be in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

Hello Scott,

thanks for your support - great job. I implemented it on some partitions and it seem to work.
However it should be doublechecked whether this workaround can be implemented on VIOs, shouldn't it?

Best regards,

Joerg

------------------------------
Joerg Humm

Original Message:
Sent: Wed January 24, 2024 05:28 PM
From: Scott Gruber
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

then restart sshd - and run sshd -T on the server, these should be only ones there

------------------------------
Scott Gruber

Original Message:
Sent: Wed January 24, 2024 05:26 PM
From: Scott Gruber
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

I found out that these entries need to be in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

Joerg, 

Yes the fix can be applied to VIOs as I had a ticket with IBM in working the issue which was based on VIOs.

Enjoy.

Hello Scott,

thanks for your support - great job. I implemented it on some partitions and it seem to work.
However it should be doublechecked whether this workaround can be implemented on VIOs, shouldn't it?

Best regards,

Joerg

------------------------------
Joerg Humm

Original Message:
Sent: Wed January 24, 2024 05:28 PM
From: Scott Gruber
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

then restart sshd - and run sshd -T on the server, these should be only ones there

------------------------------
Scott Gruber

Original Message:
Sent: Wed January 24, 2024 05:26 PM
From: Scott Gruber
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

I found out that these entries need to be in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

Is any subset of these options sufficient?

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

Q: If your Security Team has identified your sshd as vulnerable, that implies that they have a scanner tool of some type. Is that something you could make available here? 
Related: I found via some research that there are terrapin scanners available here: https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.3

Q: Is it permitted/advisable for Kyndryls to create an account on github.com in order to download these tools?

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

IBM Stated Feb 23, 2024 the HMC patch should come out.

Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

Hello, I know the channel is for IBM Power topics, but could you please tell me if a patch will be released for IBM z (HMC V2R15M0)?
Thank you

IBM Stated Feb 23, 2024 the HMC patch should come out.

Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

You could have at least started a new thread...  However I'll try to help.

About all I know about Z is that it's produced by IBM.  But I have a fairly good grasp about Power systems and HMC's.  In the Power world HMC V2 is stone age old.  Does Z systems have a matrix like these saying what versions of HMC are supported with what versions of firmware?  It is critical that one keeps a level of HMC compatible with the level of firmware on the system(s) that it manages.  Here is a sample chart showing what levels of firmware can support what levels of HMC:  https://esupport.ibm.com/customercare/flrt/matrix?domain=mtm=9105-42A&pkey=pwr

IBM also has a tool called Fix Level Recommendation Tool (FLRT) but it also seems geared towards Power systems.  In FLRT you tell it what Power system you have, what level of firmware you have, what model and level of HMC you have and what OS's and their level you are running and it will recommend updates to each which are supported by each other.

Hmm, maybe HMC versions for Z systems is totally different than HMC versions for Power systems.  I'm basing it off of this:  https://www-40.ibm.com/servers/resourcelink/lib03060.nsf/pages/zSystemsFirmwareUpdatesAndFixes?OpenDocument

Can you find your model and level of HMC at Fix Central and see if there are any fixes?  IBM Support: Fix Central

Hello, I know the channel is for IBM Power topics, but could you please tell me if a patch will be released for IBM z (HMC V2R15M0)?
Thank you

IBM Stated Feb 23, 2024 the HMC patch should come out.

Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

Upon rereading this I may be wrong about starting a new thread if you were truly concerned about addressing that CVE with your level of HMC.  Sorry.

You could have at least started a new thread...  However I'll try to help.

About all I know about Z is that it's produced by IBM.  But I have a fairly good grasp about Power systems and HMC's.  In the Power world HMC V2 is stone age old.  Does Z systems have a matrix like these saying what versions of HMC are supported with what versions of firmware?  It is critical that one keeps a level of HMC compatible with the level of firmware on the system(s) that it manages.  Here is a sample chart showing what levels of firmware can support what levels of HMC:  https://esupport.ibm.com/customercare/flrt/matrix?domain=mtm=9105-42A&pkey=pwr

IBM also has a tool called Fix Level Recommendation Tool (FLRT) but it also seems geared towards Power systems.  In FLRT you tell it what Power system you have, what level of firmware you have, what model and level of HMC you have and what OS's and their level you are running and it will recommend updates to each which are supported by each other.

Hmm, maybe HMC versions for Z systems is totally different than HMC versions for Power systems.  I'm basing it off of this:  https://www-40.ibm.com/servers/resourcelink/lib03060.nsf/pages/zSystemsFirmwareUpdatesAndFixes?OpenDocument

Can you find your model and level of HMC at Fix Central and see if there are any fixes?  IBM Support: Fix Central

Hello, I know the channel is for IBM Power topics, but could you please tell me if a patch will be released for IBM z (HMC V2R15M0)?
Thank you

IBM Stated Feb 23, 2024 the HMC patch should come out.

Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

I know you've all worked around this by modifying a few files.  I come from an IBM i background and I am more comfortable with putting on new releases and fixes than modifying configuration files.  Although we have do this this for ssh ciphers too.

Any chance that this only affects certain levels of VIOS?  Like, if we're at 3.1.4.31 we're cool?  I just upgraded to that in March.  Not sure if the team doing the scanning scans our vios lpars (or HMC).  They did complain about our AIX.

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

I know you've all worked around this by modifying a few files.  I come from an IBM i background and I am more comfortable with putting on new releases and fixes than modifying configuration files.  Although we have do this this for ssh ciphers too.

Any chance that this only affects certain levels of VIOS?  Like, if we're at 3.1.4.31 we're cool?  I just upgraded to that in March.  Not sure if the team doing the scanning scans our vios lpars (or HMC).  They did complain about our AIX.

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,

Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

They have identified all our VIO servers as vulnerable. 

I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

Please provide a fix asap.

Thanks,