CVE-2023-48795 Terrapin Prefix Truncation Weakness
- Milton Suen
- Abraham Felsenstein
This KB provides guidance for customers to address reported vulnerabilities associated with the OpenSSH extension:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
DataCore FileFly
Linux is not supported. No action is necessary.
Swarm Storage
Swarm Storage does not ship runtime images with OpenSSH in any Swarm version. No update is required.
Swarm SCS, Gateway, Elasticsearch, Telemetry
Rocky Linux 8 is not affected by this CVE.
For Red Hat (RHEL) 7 and CentOS 7, follow these steps to remediate:
To mitigate the vulnerability, remove the ChaCha20-Poly1305 cipher and CBC mode ciphers from the /etc/ssh/sshd_config file. Update the configuration as follows:
# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
# MAC algorithms
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
######VAfix - kexalgorithms##########
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1After modifying the file, save it and restart the SSH service:
sudo systemctl restart sshdThis configuration change will help mitigate the Terrapin vulnerability by removing the affected ciphers while maintaining compatibility with supported systems.
To verify the mitigation is applied download and run the following tool
curl -LO https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.3/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64
./Terrapin_Scanner_Linux_amd64 --connect <CentOS7/RHEL7 Server IP>
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.