Page MenuHomeVyOS Platform
Create Task
Maniphest T5914

CVE-2023-48795 - Terrapin vulnerability
Closed, ResolvedPublicBUG
Actions

Description

According to https://security-tracker.debian.org/tracker/CVE-2023-48795 openssh is vulnerable in VyOS 1.3.5
Need to update to 1:7.9p1-10+deb10u4 version.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.5
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.3.6

Event Timeline

a.apostoliuk created this task.Jan 9 2024, 9:08 AM
a.apostoliuk edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus.Jan 9 2024, 9:42 AM
pasik added a subscriber: pasik.Jan 9 2024, 11:40 AM
SrividyaA renamed this task from CVE-2023-48795 to CVE-2023-48795 - Terrapin vulnerability.Jan 12 2024, 7:18 AM
Viacheslav triaged this task as High priority.Jan 15 2024, 1:39 PM
syncer assigned this task to Viacheslav.Feb 2 2024, 1:22 PM
Viacheslav closed this task as Resolved.Feb 2 2024, 3:26 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.6) board.

Fixed https://packages.debian.org/buster/openssh-server

vyos@r15:~$ show version all | match ssh
ii  libssh-4:amd64                       0.8.7-1+deb10u2                amd64        tiny C SSH library (OpenSSL flavor)
ii  libssh2-1:amd64                      1.8.0-2.1+deb10u1              amd64        SSH2 client-side library
ii  openssh-client                       1:7.9p1-10+deb10u4             amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                       1:7.9p1-10+deb10u4             amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                  1:7.9p1-10+deb10u4             amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines
ii  python3-paramiko                     2.4.2-0.1+deb10u1              all          Make ssh v2 connections (Python 3)
ii  sshguard                             2.3.1-1                        amd64        Protects from brute force attacks against ssh
vyos@r15:~$ 
vyos@r15:~$ show version 

Version:          VyOS 1.3-stable-202402020442
Release train:    equuleus
Viacheslav added a comment.Feb 2 2024, 3:45 PM
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64

vyos@r15:~$ ./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u4

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: true

The scanned peer supports Terrapin mitigations and can establish
connections that are NOT VULNERABLE to Terrapin. Glad to see this.
For strict key exchange to take effect, both peers must support it.
dmbaturin mentioned this in 1.3.6.Feb 3 2024, 1:59 AM