How to mitigate SSH Terrapin Prefix Truncation Weakness
Our office subscribes to the CISA Cyber Hygiene Report which is listing our site as having the "SSH Terrapin Prefix Truncation Weakness". I know this is not a super critical vulnerability, but management is anxious about it, especially since Homeland Security it report it to us.
I've found lots of posts describing what it is, but no mitigation other than on RHEL Linux. Is there something I can do on Slackware 15.0? I'd like to smooth the ruffled feathers. |
15.0 has openssh-9.3p2. Openssh 9.6 and later have fixes for that weakness. https://www.openssh.com/txt/release-9.6
|
I went to https://terrapin-attack.com/ and downloaded their vulerability scanner. Slackware 15.0 is vulnerable, Slackware-current is able to mitigate the weakness. But note that a connection set up by a vulnerable client towards a secured SSH server is still vulnerable to a Terrapin attack.
Anyway, the above page also states what you have to remove but is not specific on how to do that: Code:
disabling the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), Code:
# sshd -T |grep -i cipher Code:
# sshd -T |grep -i cipher Code:
ChaCha20-Poly1305 support: true As an example, add this to the end of /etc/sshd/sshd_config (I simply removed the vulnerable Ciphers and MACs): Code:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com And then run "/etc/rc.d/rc.sshd restart". Note that old ssh clients will probably no longer be able to connect to your SSH server now. |
Windu: Thanks for that information. I've added your suggested lines to sshd_config. Now I get:
Code:
sshd -T | egrep "cipher|mac" I am able to ssh into that host from Slackware 14.2, 15.0 and Windows 11 without problem, so at least the ssh clients I know of will work. |
If you want to know whether you are still vulnerable, you can download the vulnerability scanner (64bit Linux) here: https://github.com/RUB-NDS/Terrapin-...er_Linux_amd64 - make it executable, and then run it as "./Terrapin_Scanner_Linux_amd64 -connect yourhost:yourport"
|
Thanks! That appears to work. I'm all safe now.
|
All times are GMT -5. The time now is 11:13 PM. |