Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)

[Marcus Meissner <meissner () suse de>]

On Tue, Dec 19, 2023 at 01:31:03PM -0800, Alan Coopersmith wrote:
> On 12/18/23 08:08, Fabian Bäumer wrote:
> > ### Mitigations
> >
> > To mitigate this protocol vulnerability, OpenSSH suggested a so-called
> > "strict kex" which alters the SSH handshake to ensure a
> > Man-in-the-Middle attacker cannot introduce unauthenticated messages as
> > well as convey sequence number manipulation across handshakes. Support
> > for strict key exchange has been added to a variety of SSH
> > implementations, including OpenSSH itself, PuTTY, libssh, and more.
> >
> > **Warning: To take effect, both the client and server must support this
> > countermeasure.**
>
> Open source projects I see have implemented this already are:
>
> - AsyncSSH 2.14.2:
>   https://asyncssh.readthedocs.io/en/latest/changes.html#release-2-14-2-18-dec-2023
>
> - Dropbear git:
>   https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
>
> - Erlang ssh 5.1.1:
>   https://www.erlang.org/doc/apps/ssh/notes
>
> - golang.org/x/crypto 0.17.0:
>   https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
>
> - libssh 0.10.6 and 0.9.8:
>   https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
>
> - libssh2 git:
>   https://github.com/libssh2/libssh2/issues/1290
>   https://github.com/libssh2/libssh2/pull/1291
>
> - OpenSSH 9.6:
>   https://www.openssh.com/txt/release-9.6
>
> - Paramiko 3.4.0:
>   https://www.paramiko.org/changelog.html#3.4.0
>
> - PuTTY 0.80:
>   https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html
>
> - russh 0.40.2:
>   https://github.com/warp-tech/russh/releases/tag/v0.40.2
>
> - SFTPGo 2.5.6:
>   https://github.com/drakkan/sftpgo/releases/tag/v2.5.6
>
> - ssh2 [node.js/npm] 1.15.0:
>   https://github.com/mscdex/ssh2/commits/v1.15.0
>
> - Tera Term 5.1:
>   https://github.com/TeraTermProject/teraterm/releases/tag/v5.1
>
> - Thrussh 0.35.1:
>   https://pijul.org/posts/2023-12-18-thrussh-cve/
>
> There's also some open bugs against these open source projects that are not yet handled:
>
> - Apache Mina:
>   https://github.com/apache/mina-sshd/issues/445
>
> - ProFTPD (mod_sftp):
>   https://github.com/proftpd/proftpd/issues/1760
>
> - SSHJ:
>   https://github.com/hierynomus/sshj/issues/916

some more

Jsch (Java SSH): release 0.2.15 fixes it https://github.com/mwiede/jsch/releases/tag/jsch-0.2.15

Also apache-sshd and trilead-ssh2 as Java SSH implementations are
affected.

tinyssh affected, has a ticket open.

rubygem-net-ssh also affected.

The rust ecosystem has a ssh crate which fixates its used libssh version. "libssh2-sys", so
crates and binaries referencing will need updates.

python Twisted has an SSH stack too, but no chacha or etm macs so far. 

Ciao, Marcus