CVE-2023-48795 Proxmox is VULNERABLE to Terrapin (as of right now)

V

vmcms

New Member
Proxmox Subscriber
Nov 29, 2023
3
4
3
So everyone has heard about Terapin,

CVE-2023-48795
CVE-2023-46445
CVE-2023-46446

I find Ubuntu has released patches, also FreeBSD.

The Terapin folks (based in Germany) published a vulnerability scanner, and it
shows ok on various Ubuntu releases.

I just ran update on Proxmox nodes, it shows no updates available and stuck on OpenSSH_9.2p1,
looks like it should be OpenSSH_9.3p1.

I ran the Terapin vulnerability scanner against Proxmox paid Enterprise repository node, it says:

================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u1

ChaCha20-Poly1305 support: true
CBC-EtM support: false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.

Note: This tool is provided as is, with no warranty whatsoever. It determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict key
exchange.

For more details visit our website available at https://terrapin-attack.com
 
  • Like
Reactions: jan jansen, janssensm, esi_y and 1 other person
see https://security-tracker.debian.org/tracker/CVE-2023-48795 for details/tracking, and also checkout the FAQ by the people who discovered it:

I am an admin, should I drop everything and fix this?​

Probably not.

The attack requires an active Man-in-the-Middle attacker that can intercept and modify the connection's traffic at the TCP/IP layer. Additionally, we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection's encryption mode.
Click to expand...
 
  • Like
Reactions: janssensm
Update is released:
https://lists.debian.org/debian-security-announce/2023/msg00283.html

Also worth mentioning from the terrapin FAQ:

I patched my SSH client/server, am I safe now?​


It depends. The strict key exchange countermeasure implemented by OpenSSH and other vendors requires both, client and server, to support it, in order to take effect. Connecting a vulnerable client to a patched server, and vice versa, still results in a vulnerable connection.
Click to expand...
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back