SSH servers vulnerable to new Terrapin attacks: Mitigating, Details & Discovery

administrator

administrator

Administrator
Staff member
Hi,

The new Terrapin attack is a type of security exploit that targets SSH (Secure Shell) servers. This attack takes advantage of vulnerabilities in the SSH protocol to gain unauthorized access to a server.

How the new Terrapin attack works?

A flow was found during the discovery that during the SSH integrity checks, by changing certain numbers during the connection setup, an attacker can make it look like some messages weren't sent, without SSH noticing.

Who discovered the new Terrapin attack?​

The New Terrapin attack discovered back in December 2023 by Ruhr University Bochum in Germany. It has been assigned as CVE-2023-48795. You can read more about this on RedHat.


Mitigate new Terrapin attack:​

On CentOS / RHEL-8, and CentOS / RHEL-9
Code: 
You can disable the following ciphers and HMACs on RHEL-8 and RHEL-9:
1. [email protected]
2. [email protected]
3. [email protected]
4. [email protected]
5. [email protected]

To do this, run the following command. You can use either nano or vi, whichever you prefer.
nano /etc/crypto-policies/policies/modules/CVE-2023-48795.pmod
Click to expand...

Paste this code:
cipher@SSH = -CHACHA20-POLY1305
ssh_etm = 0
Click to expand...

Now, we need to apply our policy. Run the following command:
update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795
Click to expand...

Save your changes and restart the SSH server.


You can verify that the changes are in effect by checking that the ciphers listed above are missing from both files.
/etc/crypto-policies/back-ends/openssh.config
/etc/crypto-policies/back-ends/opensshserver.config
Click to expand...


For CentOS 7 / RHEL-7:
You should use strict MACs and Ciphers on CentOS 7/RHEL-7.

Use the following ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512
Click to expand...

Update both of the following files:
/etc/ssh/ssh_config
/etc/ssh/sshd_config


If you are using DirectAdmin or cPanel, immediately fix this vulnerability; otherwise, your servers can be compromised.
 
nick

nick

Newbie
Thank you so much! I have some Linux boxes and disabled the ciphers on them.

Here is an article on Terrapin. It involves three vulnerabilities: CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.
 
You must log in or register to reply here.

Support / Help Desk

Blog - (WHV)

Hosting Reviews

Navigation

  1. WHV Forums
    1. WHV - Announcements
    2. General Discussion
    3. Introduction
    4. Web Hosting
    5. Help
    6. News
  2. Marketplace
    1. Dedicated Server Offers
    2. Shared Hosting Offers
    3. Reseller Hosting Offers
    4. Other Offers (Not Hosting)
    5. Domains
  3. Web Hosting Discussion
    1. Tutorials
    2. Reviews
    3. Articles
    4. Offtopic
Top