Vulnerability found: SSH Prefix Truncation Vulnerability (Terrapin)
Article ID: 277997
Updated On: 10-02-2024
Products
Security Analytics
Issue/Introduction
Some releases and configurations of ssh are vulnerable to CVE-2023-48795. Security Analytics 8.2.7 and later are not.
See SSH Prefix Truncation Vulnerability Used in Terrapin Attacks (CVE-2023-48795)
The iDRAC for the Dell r640xl and the management interface for the Dell ME4 storage arrays are vulnerable.
Environment
Security Analytics 8.2.7
Resolution
Security Analytics itself is not vulnerable, but the iDRAC and ME4 Web UI are. We recommend disabling ssh in these interfaces. ssh is not used by the application or for support.
To disable ssh in the iDRAC, login to the iDRAC
For the iDRAC
- Log in to the iDRAC and searched for the keyword ssh in the top right corner.
- This navigates directly to the Services -> SSH menu
- Enable or Disable SSH.
For the ME4 storage
- Log in and select Home -> Action -> System Settings
- Under Services, deselect SSH.
These are the results from the Terrapin vulnerability scanner for the Security Analytics application -
./Terrapin_Scanner_Linux_amd64 -connect
================================================================================
==================================== Report ====================================
================================================================================
Remote Banner: SSH-2.0-OpenSSH_8.0
ChaCha20-Poly1305 support: false
CBC-EtM support: false
Strict key exchange support: false
The scanned peer supports Terrapin mitigations and can establish
connections that are NOT VULNERABLE to Terrapin.
For strict key exchange to take effect, both peers must support it.
Note: This tool is provided as is, with no warranty whatsoever. It determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict key
exchange.
For more details visit https://terrapin-attack.com
./Terrapin_Scanner_Linux_amd64 -connect
================================================================================
==================================== Report ====================================
================================================================================
Remote Banner: SSH-2.0-OpenSSH_8.0
ChaCha20-Poly1305 support: false
CBC-EtM support: false
Strict key exchange support: false
The scanned peer supports Terrapin mitigations and can establish
connections that are NOT VULNERABLE to Terrapin.
For strict key exchange to take effect, both peers must support it.
Note: This tool is provided as is, with no warranty whatsoever. It determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict key
exchange.
For more details visit https://terrapin-attack.com
Additional Information
For sites that require ssh access to the iDRAC and ME4 Web UI, the vulnerable cypher can be removed. Dell has provided the instructions. Broadcom has not tested and does not support this configuration change.
ME4 Storage Array - Configuring the SSH Server Cipher List
r640 iDRAC - Setting Cipher Suite Selection using the iDRAC GUI
Feedback
Was this article helpful?
Yes
No
Powered by
