[SOLVED] Mitigations for Terrapin ssh attack?

Started by ripdog, December 22, 2023, 01:02:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 22, 2023, 01:02:22 PM Last Edit: December 28, 2023, 02:28:36 PM by franco
Hi all,

A few days ago, the terrapin attack on SSH was disclosed. https://terrapin-attack.com

OpenSSH 9.6 includes a new automatic strict KEX mode to mitigate this attack, but both client and server need to support this. As OPNSense ships OpenSSH 9.3, are there any plans for either an OpenSSH update or a targeted patch?

See the PFSense discussion: https://forum.netgate.com/topic/184941/terrapin-ssh-attack/

FreeBSD advisory: https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc

It seems upstream has already patched.
December 25, 2023, 12:45:13 PM #1 Last Edit: December 25, 2023, 12:48:32 PM by doktornotor
System - Settings - Administration:

Code Select
# egrep "^(MACs|Ciphers)" /usr/local/etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com


December 27, 2023, 12:00:32 PM #2
We are evaluating the hotfix, but need more input to publish it for everyone. It only landed in FreeBSD ports yesterday.

# opnsense-revert -z openssh-portable

Should install the latest version.

# opnsense-revert openssh-prortable

Moves it back to the current one.

The reason for this precaution is that while base FreeBSD patches a single problem the port goes from 9.3 to 9.6 which is usually high risk with lots of changes and sometimes deprecations.


Cheers,
Franco
December 27, 2023, 07:25:07 PM #3
openssh-portable 9.6.p1_1,1 works for me, no side effects so far.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
December 27, 2023, 08:01:56 PM #4
Quote from: Maurice on December 27, 2023, 07:25:07 PM
openssh-portable 9.6.p1_1,1 works for me, no side effects so far.

Same here.
In theory there is no difference between theory and practice. In practice there is.
December 28, 2023, 06:15:55 AM #5
Quote from: franco on December 27, 2023, 12:00:32 PM
# opnsense-revert -z openssh-portable

works here, thx !
December 28, 2023, 07:26:32 AM #6
Works fine for me.

Gesendet von meinem SM-A536B mit Tapatalk

December 28, 2023, 02:27:54 PM #7
December 29, 2023, 02:21:00 AM #8
Thanks Franco! Did you build this directly from upstream? opnsense/ports still has 9.3.p2.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
December 29, 2023, 08:54:23 AM #9
Sorry, usual problem: https://github.com/opnsense/ports/commit/486e921714

# make hotfix-openssh-portable


Cheers,
Franco
December 30, 2023, 02:24:48 AM #10
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
December 30, 2023, 01:16:39 PM #11
Quote from: doktornotor on December 25, 2023, 12:45:13 PM
System - Settings - Administration:

Code Select
# egrep "^(MACs|Ciphers)" /usr/local/etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com


is the latest business version that much different than this screen shot?
so I have checked only GCM under SSL ciphers.     and the GUI is still accessible.

ah its hidden under advanced

should I just restart any tunnels now?
Print
Go Up Pages1
User actions