88incher 0 Posted ... Hello Everyone, Not sure where to put this. I came across this article from arstechnica in regards to an SSH attack. The only reason I'm writing this is due to ChaCha20-Poly1305 being utilized for the attack and since Air uses this I figured I should notify everyone here. Anyhoo...this is the article that explains it a lot more than I can. https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ It mentions something about updating OpenSSH but I wouldn't know where to begin. "In response to recommendations provided by the researchers ahead of the publication of Monday’s paper, the developers of SSH software, including the nearly ubiquitous OpenSSH, have updated their implementations to support an optional strict key exchange. It provides for sequence number resets and also prevents an attacker's capability to inject packets during the initial unencrypted handshake. For the fix to take effect, both client and server must support this backward-compatible change. " That's all I know Would be nice to hear from the staff in regards to this. Later Quote Share this post Link to post
Staff 9972 Posted ... @88incher Hello and thank you! Yes, we recommend a prompt update of OpenSSH, of course. If you need OpenVPN over SSH to our servers, we assure you that updates are performed frequently so the update will be applied soon, when it is available in the official repository. Remember that the update must be applied even client side. Anyway, remember that the OpenVPN client, at a first analysis, can't be fooled by this method: if you have connected via SSH, by running a vulnerable SSH client and library, to some entity in the middle which pretends to be us by exploiting the vulnerability, that entity will fail to mimic an OpenVPN connection to one of our servers, because it lacks the proper certificates and keys. On the client side you will be able to establish an SSH connection to the attacker machine (provided that you run a vulnerable ssh), but then OpenVPN will fail to connect. Kind regards 2 Wolf666 and ss11 reacted to this Quote Share this post Link to post