According to https://security-tracker.debian.org/tracker/CVE-2023-48795 openssh is vulnerable in VyOS 1.3.5
Need to update to 1:7.9p1-10+deb10u4 version.
Description
Description
Details
Details
- Difficulty level
- Unknown (require assessment)
- Version
- VyOS 1.3.5
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Bug (incorrect behavior)
Related Objects
Related Objects
- Mentioned In
- 1.3.6
Event Timeline
Comment Actions
Fixed https://packages.debian.org/buster/openssh-server
vyos@r15:~$ show version all | match ssh ii libssh-4:amd64 0.8.7-1+deb10u2 amd64 tiny C SSH library (OpenSSL flavor) ii libssh2-1:amd64 1.8.0-2.1+deb10u1 amd64 SSH2 client-side library ii openssh-client 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines ii python3-paramiko 2.4.2-0.1+deb10u1 all Make ssh v2 connections (Python 3) ii sshguard 2.3.1-1 amd64 Protects from brute force attacks against ssh vyos@r15:~$ vyos@r15:~$ show version Version: VyOS 1.3-stable-202402020442 Release train: equuleus
Comment Actions
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64 chmod +x Terrapin_Scanner_Linux_amd64 vyos@r15:~$ ./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22 ================================================================================ ==================================== Report ==================================== ================================================================================ Remote Banner: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u4 ChaCha20-Poly1305 support: true CBC-EtM support: false Strict key exchange support: true The scanned peer supports Terrapin mitigations and can establish connections that are NOT VULNERABLE to Terrapin. Glad to see this. For strict key exchange to take effect, both peers must support it.