Hi Robert, thank you so much!
Best regards,
Cristiano Oliveira
Original Message:
Sent: 2/13/2024 7:42:00 AM
From: Robert Berendt
Subject: RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795
Upon rereading this I may be wrong about starting a new thread if you were truly concerned about addressing that CVE with your level of HMC. Sorry.
------------------------------
Robert Berendt IBMChampion
------------------------------
Original Message:
Sent: Tue February 13, 2024 07:39 AM
From: Robert Berendt
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795
You could have at least started a new thread... However I'll try to help.
About all I know about Z is that it's produced by IBM. But I have a fairly good grasp about Power systems and HMC's. In the Power world HMC V2 is stone age old. Does Z systems have a matrix like these saying what versions of HMC are supported with what versions of firmware? It is critical that one keeps a level of HMC compatible with the level of firmware on the system(s) that it manages. Here is a sample chart showing what levels of firmware can support what levels of HMC: https://esupport.ibm.com/customercare/flrt/matrix?domain=mtm=9105-42A&pkey=pwr
IBM also has a tool called Fix Level Recommendation Tool (FLRT) but it also seems geared towards Power systems. In FLRT you tell it what Power system you have, what level of firmware you have, what model and level of HMC you have and what OS's and their level you are running and it will recommend updates to each which are supported by each other.
Hmm, maybe HMC versions for Z systems is totally different than HMC versions for Power systems. I'm basing it off of this: https://www-40.ibm.com/servers/resourcelink/lib03060.nsf/pages/zSystemsFirmwareUpdatesAndFixes?OpenDocument
Can you find your model and level of HMC at Fix Central and see if there are any fixes? IBM Support: Fix Central
------------------------------
Robert Berendt IBMChampion
Original Message:
Sent: Mon February 12, 2024 12:38 PM
From: Cristiano Alves de Oliveira
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795
Hello, I know the channel is for IBM Power topics, but could you please tell me if a patch will be released for IBM z (HMC V2R15M0)?
Thank you
------------------------------
Cristiano Alves de Oliveira
Original Message:
Sent: Thu February 01, 2024 09:12 AM
From: Scott Gruber
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795
IBM Stated Feb 23, 2024 the HMC patch should come out.
------------------------------
Scott Gruber
Original Message:
Sent: Tue January 30, 2024 03:45 PM
From: Juan Ruiz
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795
Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031
------------------------------
Juan Ruiz
Original Message:
Sent: Thu January 18, 2024 12:53 PM
From: Scott Gruber
Subject: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795
Our Security team has identified our sshd server as vulnerable to the Terrapin attack.
"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.
Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."
They have identified all our VIO servers as vulnerable.
I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.
Please provide a fix asap.
Thanks,
------------------------------
Scott Gruber
------------------------------