Spectrum impact from SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)
search cancel

Spectrum impact from SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)


Article ID: 277985


Updated On:


CA Spectrum DX NetOps


The remote SSH server is vulnerable to a mitm prefix truncation attack. 

"The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security. Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions." 

Contact the vendor for an update with the strict key exchange countermeasures or disable the affected algorithms. CVE-2023-48795

NVD URL for CVE-20203-48975

Is DX NetOps Spectrum impacted by this vulnerability?


DX NetOps Spectrum releases 23.3.5 and older


Spectrum uses JSCH 0.1.55 which is vulnerable.


Overall details:

  • NCM in Spectrum uses pre-installed SSH tools JSCH and Mindterm
    • Both JSCH and Mindterm are installed with Spectrum by default.
  • Mindterm is not vulnerable to this.
  • The current JSCH release in all currently supported Spectrum releases is vulnerable.
  • The severity of the CVE is 5.7(medium), not a critical vulnerability.

Short term:

  • There is no manual remediation possible for JSCH.
    • As long as JSCH is not utilized Spectrum won't be vulnerable.
    • If using JSCH for NCM switch to Mindterm. If JSCH is not used, Spectrum is not vulnerable.
  • There is no remediation needed for Mindterm as it's not vulnerable to this.

Long term:

  • Spectrum Engineering plans to upgrade to the latest JSCH release (0.2.15 at the time this is written) to remediate this.
    • It will be included in a future Spectrum release.
    • The current estimate is to include this change in the 23.3.x update kit when released. 
    • This is subject to change.