Power

 View Only
Expand all | Collapse all

SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

  • 1.  SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Thu January 18, 2024 12:54 PM

    Our Security team has identified our sshd server as vulnerable to the Terrapin attack. 

    "The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

    Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions."

    They have identified all our VIO servers as vulnerable. 

    I have tried to Add ONLY the ciphers and Macs in /etc/ssh/sshd_config file that are not vulnerable and restarted the sshd service, but it didn't work.

    Please provide a fix asap.

    Thanks,



    ------------------------------
    Scott Gruber
    ------------------------------


  • 2.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 24, 2024 05:12 PM

    ... same for us. Is there any known workaround available?



    ------------------------------
    Joerg Humm
    ------------------------------



  • 3.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 24, 2024 05:27 PM
    I found out that these entries need to be in /etc/ssh/sshd_config
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512<mailto:umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512>

    restart the sshd service

    then run : sshd -T on the server and the changes should be there
    IBM said they're working on publishing a fix by the end of Feb 2024

    Scott Gruber




  • 4.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 24, 2024 05:28 PM

    then restart sshd - and run sshd -T on the server, these should be only ones there



    ------------------------------
    Scott Gruber
    ------------------------------



  • 5.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Fri January 26, 2024 01:54 AM
    Edited by Joerg Humm Fri January 26, 2024 01:58 AM

    Hello Scott,

    thanks for your support - great job. I implemented it on some partitions and it seem to work.
    However it should be doublechecked whether this workaround can be implemented on VIOs, shouldn't it?

    Best regards,

    Joerg



    ------------------------------
    Joerg Humm
    ------------------------------



  • 6.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Mon January 29, 2024 09:38 AM

    Joerg, 

    Yes the fix can be applied to VIOs as I had a ticket with IBM in working the issue which was based on VIOs.

    Enjoy.



    ------------------------------
    Scott Gruber
    ------------------------------



  • 7.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Tue January 30, 2024 02:00 AM

    Scott, 

    thanks for clarification! I implemented the workaround and rescanned the hosts. Both scanners (our internal and the one from github) are happy now.

    Regards,

    Joerg



    ------------------------------
    Joerg Humm
    ------------------------------



  • 8.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Mon January 29, 2024 10:11 AM

    Is any subset of these options sufficient?



    ------------------------------
    Mackey Morgan
    ------------------------------



  • 9.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Tue January 30, 2024 09:39 AM

    That I dunno. Basically need to be sure the following are disabled :

    ciphers : chacha20-poly1305

    MACs   : umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1



    ------------------------------
    Scott Gruber
    ------------------------------



  • 10.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Thu January 25, 2024 10:29 AM

    Q: If your Security Team has identified your sshd as vulnerable, that implies that they have a scanner tool of some type. Is that something you could make available here? 
    Related: I found via some research that there are terrapin scanners available here: https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.3

    Q: Is it permitted/advisable for Kyndryls to create an account on github.com in order to download these tools?



    ------------------------------
    Mackey Morgan
    ------------------------------



  • 11.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Mon January 29, 2024 09:40 AM

    I believe they paid for the tool from Tenable.



    ------------------------------
    Scott Gruber
    ------------------------------



  • 12.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted Wed January 31, 2024 11:08 AM

    Is there a mitigation patch for the HMC's ? Tenable is flagging our HMCs as not complaint. We are running HMC V10R2 M1031



    ------------------------------
    Juan Ruiz
    ------------------------------



  • 13.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted 30 days ago

    IBM Stated Feb 23, 2024 the HMC patch should come out.



    ------------------------------
    Scott Gruber
    ------------------------------



  • 14.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted 19 days ago

    Hello, I know the channel is for IBM Power topics, but could you please tell me if a patch will be released for IBM z (HMC V2R15M0)?
    Thank you



    ------------------------------
    Cristiano Alves de Oliveira
    ------------------------------



  • 15.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    IBM Champion
    Posted 18 days ago

    You could have at least started a new thread...  However I'll try to help.

    About all I know about Z is that it's produced by IBM.  But I have a fairly good grasp about Power systems and HMC's.  In the Power world HMC V2 is stone age old.  Does Z systems have a matrix like these saying what versions of HMC are supported with what versions of firmware?  It is critical that one keeps a level of HMC compatible with the level of firmware on the system(s) that it manages.  Here is a sample chart showing what levels of firmware can support what levels of HMC:  https://esupport.ibm.com/customercare/flrt/matrix?domain=mtm=9105-42A&pkey=pwr

    IBM also has a tool called Fix Level Recommendation Tool (FLRT) but it also seems geared towards Power systems.  In FLRT you tell it what Power system you have, what level of firmware you have, what model and level of HMC you have and what OS's and their level you are running and it will recommend updates to each which are supported by each other.

    Hmm, maybe HMC versions for Z systems is totally different than HMC versions for Power systems.  I'm basing it off of this:  https://www-40.ibm.com/servers/resourcelink/lib03060.nsf/pages/zSystemsFirmwareUpdatesAndFixes?OpenDocument

    Can you find your model and level of HMC at Fix Central and see if there are any fixes?  IBM Support: Fix Central



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 16.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    IBM Champion
    Posted 18 days ago

    Upon rereading this I may be wrong about starting a new thread if you were truly concerned about addressing that CVE with your level of HMC.  Sorry.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 17.  RE: SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795

    Posted 17 days ago
    Hi Robert, thank you so much!

    Best regards,

     

    Cristiano Oliveira