CVE-2023-48795

[tja]

hi.

i stumbled over
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
also see
https://nvd.nist.gov/vuln/detail/CVE-2023-48795

as far as i (try to) understand the attack needs to be MITM and can downgrade the secure channel(s) to unsecure/observable.
but i dont quite grasp how to interpret the relation to the "ssh client" CVE's (f.e. CVE-2023-46445).

researching further i find that my opnsense 23.7.10_1 uses openssh-portable 9.3.p2_2,1 - for which at least the repo for the 9.3 version (https://github.com/openssh/openssh-portable/tree/V_9_3) seems to be unchanged since july - but i obviously know nothing about the dev process of opensense so i cant see if "our" package is already patched against this kind of attacks.

can someone more knowledgeable step up and help me out here ?

tia,tja...

[Stormscape]

As a temporary measure, if you're really that worried about security, simply remove ChaCha20-Poly1305 from the list of allowed ciphers in System -> Settings -> Administration, by changing the Ciphers list to be the CTR and GCM ciphers only, specifically these ones:
aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
Since it's the end of the year right now, it might not be until the new year that updates get issued for FreeBSD, that workaround was advised by Fabian Bäumer, one of the authors of the paper on that attack, so I'd go with that for now.

[doktornotor]

https://forum.opnsense.org/index.php?topic=37718.msg185075#msg185075

[tja]

thx very much :)

[franco]

Posted a test package in the other thread.


Cheers,
Franco