[talk] [EXTERNAL] Heads Up, OpenSSH MITM "Terrapin"

Callahan, Brian Robert callab5 at rpi.edu
Wed Dec 20 11:13:52 EST 2023 

Terrapin is not that serious.

>From the OpenSSH 9.6 release notes:
"While cryptographically novel, the security impact of this attack
   is fortunately very limited as it only allows deletion of
   consecutive messages, and deleting most messages at this stage of
   the protocol prevents user user authentication from proceeding and
   results in a stuck connection.

The most serious identified impact is that it lets a MITM to
   delete the SSH2_MSG_EXT_INFO message sent before authentication
   starts, allowing the attacker to disable a subset of the keystroke
   timing obfuscation features introduced in OpenSSH 9.5. There is no
   other discernable impact to session secrecy or session integrity."

https://www.openssh.com/releasenotes.html

~Brian

--
Brian Robert Callahan, Ph.D., CISSP, CCSP, SSCP, CC
Graduate Program Director, ITWS at RPI
Director, Rensselaer Cybersecurity Collaboratory
Office: Lally 304

-----Original Message-----
From: talk <talk-bounces at lists.nycbug.org> On Behalf Of Isaac (.ike) Levy
Sent: Wednesday, December 20, 2023 10:21 AM
To: talk at lists.nycbug.org
Subject: [EXTERNAL][talk] Heads Up, OpenSSH MITM "Terrapin"

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hey all,

If it's not on your holiday radar, there's a serious OpenSSH vulnerability, "Terrapin".

--
For busy folks, the fastest mitigation I've read is in the FreeBSD advisory, https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc

IV. Workaround

Add the following lines to /etc/ssh/ssh_config and /etc/ssh/sshd_config:
Ciphers -chacha20-poly1305 at openssh.com
MACs -*etm at openssh.com

(restart sshd)

--
Gory details, history, and fancy blowfish graphics:
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

Happy Holidays!

Best,
.ike



_______________________________________________
talk mailing list
talk at lists.nycbug.org
https://lists.nycbug.org:8443/mailman/listinfo/talk

More information about the talk mailing list