CVE-2023-48795 Proxmox is VULNERABLE to Terrapin (as of right now)

V

vmcms

New Member
Proxmox Subscriber
Nov 29, 2023
3
4
3
So everyone has heard about Terapin,

CVE-2023-48795
CVE-2023-46445
CVE-2023-46446

I find Ubuntu has released patches, also FreeBSD.

The Terapin folks (based in Germany) published a vulnerability scanner, and it
shows ok on various Ubuntu releases.

I just ran update on Proxmox nodes, it shows no updates available and stuck on OpenSSH_9.2p1,
looks like it should be OpenSSH_9.3p1.

I ran the Terapin vulnerability scanner against Proxmox paid Enterprise repository node, it says:

================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u1

ChaCha20-Poly1305 support: true
CBC-EtM support: false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.

Note: This tool is provided as is, with no warranty whatsoever. It determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict key
exchange.

For more details visit our website available at https://terrapin-attack.com
 
  • Like
Reactions: jan jansen, janssensm, esi_y and 1 other person
see https://security-tracker.debian.org/tracker/CVE-2023-48795 for details/tracking, and also checkout the FAQ by the people who discovered it:

I am an admin, should I drop everything and fix this?​

Probably not.

The attack requires an active Man-in-the-Middle attacker that can intercept and modify the connection's traffic at the TCP/IP layer. Additionally, we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection's encryption mode.
Click to expand...
 
  • Like
Reactions: janssensm
Update is released:
https://lists.debian.org/debian-security-announce/2023/msg00283.html

Also worth mentioning from the terrapin FAQ:

I patched my SSH client/server, am I safe now?​


It depends. The strict key exchange countermeasure implemented by OpenSSH and other vendors requires both, client and server, to support it, in order to take effect. Connecting a vulnerable client to a patched server, and vice versa, still results in a vulnerable connection.
Click to expand...
 
Last edited:
You must log in or register to reply here.
Top Bottom