OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: tja on December 27, 2023, 07:54:01 AM

Title: CVE-2023-48795
Post by: tja on December 27, 2023, 07:54:01 AM
hi.

i stumbled over
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
also see
https://nvd.nist.gov/vuln/detail/CVE-2023-48795

as far as i (try to) understand the attack needs to be MITM and can downgrade the secure channel(s) to unsecure/observable.
but i dont quite grasp how to interpret the relation to the "ssh client" CVE's (f.e. CVE-2023-46445).

researching further i find that my opnsense 23.7.10_1 uses openssh-portable 9.3.p2_2,1 - for which at least the repo for the 9.3 version (https://github.com/openssh/openssh-portable/tree/V_9_3) seems to be unchanged since july - but i obviously know nothing about the dev process of opensense so i cant see if "our" package is already patched against this kind of attacks.

can someone more knowledgeable step up and help me out here ?

tia,tja...
Title: Re: CVE-2023-48795
Post by: Stormscape on December 27, 2023, 09:28:46 AM
As a temporary measure, if you're really that worried about security, simply remove ChaCha20-Poly1305 from the list of allowed ciphers in System -> Settings -> Administration, by changing the Ciphers list to be the CTR and GCM ciphers only, specifically these ones:
aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
Since it's the end of the year right now, it might not be until the new year that updates get issued for FreeBSD, that workaround was advised by Fabian Bäumer, one of the authors of the paper on that attack, so I'd go with that for now.
Title: Re: CVE-2023-48795
Post by: doktornotor on December 27, 2023, 10:26:15 AM
https://forum.opnsense.org/index.php?topic=37718.msg185075#msg185075
Title: Re: CVE-2023-48795
Post by: tja on December 27, 2023, 10:43:57 AM
thx very much :)
Title: Re: CVE-2023-48795
Post by: franco on December 27, 2023, 12:07:20 PM
Posted a test package in the other thread.


Cheers,
Franco