- 14/2024
- High
Linux has released security updates to fix multiple vulnerabilities in AsyncSSH and OpenSSH.
The addressed vulnerabilities could allow the remote attacker to launch a man-inthe-middle attack and strip an arbitrary number of messages after the initial key exchange, obtain sensitive information, or bypass security restrictions on the system by sending a specially crafted request to perform packet injection or removal and shell emulation.
Sample of the addressed vulnerabilities:
1. AsyncSSH Security Bypass Vulnerability (CVE-2023-46446):
- CVSS: 6.8
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Consequences: Bypass Security
2. OpenSSH Man-in-the-Middle Vulnerability (CVE-2023-48795):
- CVSS: 5.9
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
It should be highlighted that the mentioned vulnerabilities were exploited by the Terrapin attack. Terrapin is a prefix truncation attack targeting the SSH protocol to downgrade the connection’s security by truncating the extension negotiation message (RFC8308) from the transcript, which requires MitM capabilities at the network layer. Additionally, the connection must be secured by either ChaCha20- Poly1305 or CBC with Encrypt-then-MAC.
Vulnerabilities
- CVE-2023-46446
- CVE-2023-46445
- CVE-2023-48795
Mitigations
- Redhat has provided an alternate workaround for the vulnerability “CVE-2023- 48795”, temporarily disable the affected cipher modes chacha20-poly1305 and any encrypt-then-mac variants (generic EtM), follow the workaround steps.
- The enterprise should check all IT assets using OpenSSH and AsyncSSH packages with its vendors for updates if any and deploy the patches as soon as the testing phase is completed. Below is a sample of the distributors’ fixes:
o Ubuntu
o Redhat