stable

Clone or download

Read-only

fix: request #35865 Adjust SSHd crypto settings to prevent Terrapin attack / CVE-2023-48795

CVE-2023-48795 is a prefix truncation attack affecting the SSH protocol. The attack can be achieved on ChaCha20-Poly1305 or any cipher relying on the CBC mode with an encrypt-then-mac approach. The issue is mitigated in recent OpenSSH versions but the underlying protocol issue is still here. Removing ChaCha20-Poly1305 from the list of usable ciphers we set is enough to be fix the the issue. The list of MACs has also been cleaned up to keep only sane January 2024 possibilities (and be conform to Enalean internal crypto policy). No functional changes expected, all the ciphers and MACs we set are widespread and present in OpenSSH since a long time. The AES ciphers using the CTR mode should ideally be removed but I'm a bit concerned by the fact it might some SSH clients. This should likely be revisited in a few months. The "Terrapin" attack is theoretically applicable to these CTR mode ciphers but it cannot really be exploited. Change-Id: Id6835b862a0ded50fbc7be81003817aa7f418021

Modified Files

Name
M plugins/tee_container/docker/sshd_config +2 −2 Go to diff View file
M tools/docker/tuleap-community-edition/sshd_config +2 −2 Go to diff View file