CVE-2023-48795 Terrapin Prefix Truncation Weakness

This KB provides guidance for customers to address reported vulnerabilities associated with the OpenSSH extension:
CVE -CVE-2023-48795

DataCore FileFly

Linux is not supported. No action is necessary.

Swarm Storage

Swarm Storage does not ship runtime images with OpenSSH in any Swarm version. No update is required.

Swarm SCS, Gateway, Elasticsearch, Telemetry

Rocky Linux 8 is not affected by this CVE.

For Red Hat (RHEL) 7 and CentOS 7, follow these steps to remediate:

To mitigate the vulnerability, remove the ChaCha20-Poly1305 cipher and CBC mode ciphers from the /etc/ssh/sshd_config file. Update the configuration as follows:

# Ciphers and keying Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com # MAC algorithms MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 ######VAfix - kexalgorithms########## kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

After modifying the file, save it and restart the SSH service:

sudo systemctl restart sshd

This configuration change will help mitigate the Terrapin vulnerability by removing the affected ciphers while maintaining compatibility with supported systems.

To verify the mitigation is applied download and run the following tool

curl -LO https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.3/Terrapin_Scanner_Linux_amd64 chmod +x Terrapin_Scanner_Linux_amd64 ./Terrapin_Scanner_Linux_amd64 --connect <CentOS7/RHEL7 Server IP>

 

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.