[arm-allstar] Terrapin vulnerability
Nate Bargmann
n0nb at n0nb.us
Wed Dec 20 15:23:07 EST 2023
This morning on a few local machines running Debian 12.4 with OpenSSH
9.2p1, I have been adding the following line to /etc/ssh/sshd_config:
Ciphers -chacha20-poly1305 at openssh.com
Using the Terrapin test program, that is the only cipher shown as
vulnerable. After restarting the SSH daemon the test program reports
that the vulnerability is closed.
Running the program against HamVOIP I see:
================================================================================
==================================== Report ====================================
================================================================================
Remote Banner: SSH-2.0-OpenSSH_7.2
ChaCha20-Poly1305 support: true
CBC-EtM support: false
Strict key exchange support: false
==> The scanned peer is VULNERABLE to Terrapin.
Note: This tool is provided as is, with no warranty whatsoever. It determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict key
exchange.
For more details visit our website available at https://terrapin-attack.com
So it appears to me that the same line should close the vulnerability
for HamVOIP SSH.
73, Nate, N0NB
--
"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."
Web: https://www.n0nb.us
Projects: https://github.com/N0NB
GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819
More information about the ARM-allstar
mailing list