Jump to content
Not connected, Your IP: 13.58.28.196
Sign in to follow this  
88incher

ANSWERED Terrapin attack/CVE-2023-46445

Recommended Posts

Hello Everyone,

Not sure where to put this.
I came across this article from arstechnica in regards to an SSH attack.
The only reason I'm writing this is due to ChaCha20-Poly1305 being utilized
for the attack and since Air uses this I figured I should notify everyone here.
Anyhoo...this is the article that explains it a lot more than I can.

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

It mentions something about updating OpenSSH but I wouldn't know where to begin.

"In response to recommendations provided by the researchers ahead of the publication of Monday’s paper, the developers of SSH software, including the nearly ubiquitous OpenSSH, have updated their implementations to support an optional strict key exchange. It provides for sequence number resets and also prevents an attacker's capability to inject packets during the initial unencrypted handshake. For the fix to take effect, both client and server must support this backward-compatible change. "

That's all I know

Would be nice to hear from the staff in regards to this.

Later

Share this post


Link to post
@88incher

Hello and thank you!

Yes, we recommend a prompt update of OpenSSH, of course. If you need OpenVPN over SSH to our servers, we assure you that updates are performed frequently so the update will be applied soon, when it is available in the official repository. Remember that the update must be applied even client side.

Anyway, remember that the OpenVPN client, at a first analysis, can't be fooled by this method: if you have connected via SSH, by running a vulnerable SSH client and library, to some entity in the middle which pretends to be us by exploiting the vulnerability, that entity will fail to mimic an OpenVPN connection to one of our servers, because it lacks the proper certificates and keys. On the client side you will be able to establish an SSH connection to the attacker machine (provided that you run a vulnerable ssh), but then OpenVPN will fail to connect.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...