[arm-allstar] Terrapin vulnerability

David McGough kb4fxc at inttek.net
Wed Dec 20 14:42:56 EST 2023 


Hi Patrick,

This vulnerability is significant, but IS NOT easy to exploit, so this 
isn't a panic situation for most users, IMO.

The exploit requires a Man-In-The-Middle (MiTM), listening to all traffic
between a properly authenticated SSH client and server, which means the
network between the client and server is already compromised by an
attacker of some type.  This does mean that public/free/unmanaged WiFi
services, like found in many coffee shops, restaurants, libraries, etc.,
are a concern for MiTM scenarios, but this isn't really news for security
conscious users, right??

An SSH server simply being visible to the Internet is NOT VULNERABLE to
this attack.  Further, this attack method can be eliminated by simply
turning off certain allowed cipher methods in the SSH server.

It's also important to note that the newly updated versions of SSH change 
the core protocol to mitigate this exploit.  So, the new SSH versions are 
functionally incompatible with older versions.  This obviously means the 
upgrade process must be carefully orchestrated to avoid loosing access to 
systems during the upgrade process.

I'm testing some mitigation strategies right now, more about this soon.  

This attack is obviously a much, MUCH bigger concern for Commercial /
Business / Government users, rather than HamVoIP, so, if you're using SSH 
is a critically sensitive way, I recommend simply running SSH inside a 
VPN tunnel for now....That's what I already do (and have always done) at 
my business.


73, David K4FXC


On Wed, 20 Dec 2023, Patrick Perdue via ARM-allstar wrote:

> Greetings:
> 
> As some may know, a new vulnerability was discovered with SSH, both on 
> the server and client end of the connection.
> 
> Here is PuTTY's write-up about this:
> 
> https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terrapin.html
> 
> This is apparently fixed in OpenSSH servver 9.6 and PuTTY 0.80.
> 
> Just FYI for anyone who has an exposed SSH server on the internet for 
> whatever reason.
> 
> _______________________________________________
> 
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>

More information about the ARM-allstar mailing list