[SOLVED] How to mitigate SSH Terrapin Prefix Truncation Weakness

mfoley · 04-13-2024, 08:11 PM

Our office subscribes to the CISA Cyber Hygiene Report which is listing our site as having the "SSH Terrapin Prefix Truncation Weakness". I know this is not a super critical vulnerability, but management is anxious about it, especially since Homeland Security it report it to us.

I've found lots of posts describing what it is, but no mitigation other than on RHEL Linux.

Is there something I can do on Slackware 15.0? I'd like to smooth the ruffled feathers.

Petri Kaukasoina · 04-14-2024, 04:23 AM

15.0 has openssh-9.3p2. Openssh 9.6 and later have fixes for that weakness. https://www.openssh.com/txt/release-9.6

Windu · 04-14-2024, 04:26 AM

I went to https://terrapin-attack.com/ and downloaded their vulerability scanner. Slackware 15.0 is vulnerable, Slackware-current is able to mitigate the weakness. But note that a connection set up by a vulnerable client towards a secured SSH server is still vulnerable to a Terrapin attack.
Anyway, the above page also states what you have to remove but is not specific on how to do that:

Code:

disabling the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client),
and use unaffected algorithms like AES-GCM instead.

Now look at what the sshd in Slackware 15.0 supports:

Code:

# sshd -T |grep -i cipher
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
# sshd -T |grep -i mac
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Compare that to slackware-current:

Code:

# sshd -T  |grep -i cipher
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
# sshd -T  |grep -i mac
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

So they both look vulnerable, but the difference is what the vulnerability scanner reports about "Strict key exchange support" which is "true" for Slackware-current but "false" for Slackware 15.0:

Code:

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.

If you want to mitigate your Slackware 15.0 server, then add two lines specifying the Ciphers and MACs your server should support. The values I extracted with "sshd -T" are the built-in defaults.

As an example, add this to the end of /etc/sshd/sshd_config (I simply removed the vulnerable Ciphers and MACs):

Code:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Validate the changes you made with "sshd -t".
And then run "/etc/rc.d/rc.sshd restart".
Note that old ssh clients will probably no longer be able to connect to your SSH server now.

mfoley · 04-14-2024, 01:07 PM

Windu: Thanks for that information. I've added your suggested lines to sshd_config. Now I get:

Code:

sshd -T | egrep "cipher|mac"
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Does that look correct?

I am able to ssh into that host from Slackware 14.2, 15.0 and Windows 11 without problem, so at least the ssh clients I know of will work.

Windu · 04-14-2024, 03:10 PM

If you want to know whether you are still vulnerable, you can download the vulnerability scanner (64bit Linux) here: https://github.com/RUB-NDS/Terrapin-...er_Linux_amd64 - make it executable, and then run it as "./Terrapin_Scanner_Linux_amd64 -connect yourhost:yourport"

mfoley · 04-14-2024, 10:51 PM

Thanks! That appears to work. I'm all safe now.