Bug 32641

Summary: [TRACKER] CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: NEW --- QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: bruno, lewyssmith, marja11, pterjan, yvesbrungard
Version: CauldronKeywords: TRACKER
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO
Source RPM: CVE:
Status comment:
Bug Depends on: 32674, 32675, 32676, 32682, 32644, 32656, 32660, 32662, 32670, 32671, 32672, 32673, 32748    
Bug Blocks:    

Description Nicolas Salguero 2023-12-20 11:45:47 CET 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2023/12/18/3
https://www.openwall.com/lists/oss-security/2023/12/19/5
https://www.openwall.com/lists/oss-security/2023/12/20/3

Many SSH implementations that are packaged in Mageia are affected:
  - dropbear (https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)
  - erlang (Erlang ssh 5.1.1)
  - golang-x-crypto (0.17.0)
  - libssh (0.10.6 and 0.9.8)
  - libssh2 (https://github.com/libssh2/libssh2/pull/1291)
  - OpenSSH (9.6)
  - putty (0.80)
  - jsch (0.2.15)
  - proftpd (open bug: https://github.com/proftpd/proftpd/issues/1760)
  - apache-sshd
  - trilead-ssh2

Other implementations are affected.  I did not find them into Mageia but maybe I missed them:
  - AsyncSSH (2.14.2)
  - Paramiko (3.4.0)
  - russh (0.40.2)
  - SFTPGo (2.5.6)
  - ssh2 [node.js/npm] (1.15.0)
  - Tera Term (5.1)
  - Thrussh (0.35.1)
  - Apache Mina (open bug: https://github.com/apache/mina-sshd/issues/445)
  - SSHJ (open bug: https://github.com/hierynomus/sshj/issues/916)
  - Java SSH
  - tinyssh
  - rubygem-net-ssh
  - rust libssh2-sys
Nicolas Salguero 2023-12-20 11:45:59 CET

Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2023-12-21 10:39:30 CET

Depends on: (none) => 32644

Comment 1 Lewis Smith 2023-12-23 21:22:47 CET 
Thank you Nicolas for the detailed research about Mageia.

Résumé:
From the 3 openwall URLs, noting just those pkgs Nicolas identified in comment 0 as being in Mageia:

Already dealt with:

- Dropbear git:
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
- Erlang ssh 5.1.1:
 https://www.erlang.org/doc/apps/ssh/notes
- golang.org/x/crypto 0.17.0:
 https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
- libssh 0.10.6 and 0.9.8:
 https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
- libssh2 git:
 https://github.com/libssh2/libssh2/issues/1290
 https://github.com/libssh2/libssh2/pull/1291
- OpenSSH 9.6:
 https://www.openssh.com/txt/release-9.6
- PuTTY 0.80:
 https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html
- Jsch (Java SSH): release 0.2.15 fixes it 
 https://github.com/mwiede/jsch/releases/tag/jsch-0.2.15

? fixed (3rd URL, after Jsch):

- apache-sshd and 
- trilead-ssh2 as Java SSH implementations are affected

In progres:

- ProFTPD (mod_sftp):
 https://github.com/proftpd/proftpd/issues/1760

I imagine that packages fixed upstream will be fixed with us. Be careful about noting which have been done.

This is worth copying here for information:
"### Mitigations

To mitigate this protocol vulnerability, OpenSSH suggested a so-called 
"strict kex" which alters the SSH handshake to ensure a 
Man-in-the-Middle attacker cannot introduce unauthenticated messages as 
well as convey sequence number manipulation across handshakes. Support 
for strict key exchange has been added to a variety of SSH 
implementations, including OpenSSH itself, PuTTY, libssh, and more.

**Warning: To take effect, both the client and server must support this 
countermeasure.**"

Assignee: bugsquad => pkg-bugs

papoteur 2023-12-27 15:22:59 CET

Depends on: (none) => 32656

papoteur 2023-12-28 13:47:13 CET

Depends on: (none) => 32660
CC: (none) => yvesbrungard

papoteur 2023-12-28 14:08:28 CET

Depends on: (none) => 32662

Comment 2 Lewis Smith 2023-12-30 21:29:11 CET 
This bug really needs to become a TRACKER for the different bits, each having its own bug as Yves has sensibly done for dropbear bug 32656.
CC'ing Marja for advice about this.

CC: (none) => lewyssmith, marja11

Comment 3 Marja Van Waes 2023-12-31 17:37:43 CET 
(In reply to Lewis Smith from comment #2)
> This bug really needs to become a TRACKER for the different bits, each
> having its own bug as Yves has sensibly done for dropbear bug 32656.
> CC'ing Marja for advice about this.

Papoteur opened at least one more bug report, about erlang, but 32670, I'll check whether more were opened

Depends on: (none) => 32670
Keywords: (none) => TRACKER
Summary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) => [TRACKER] CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)

Marja Van Waes 2023-12-31 17:48:24 CET

Depends on: (none) => 32671

Marja Van Waes 2023-12-31 17:56:08 CET

Depends on: (none) => 32672

Marja Van Waes 2023-12-31 18:11:27 CET

Depends on: (none) => 32673

Marja Van Waes 2023-12-31 18:18:51 CET

Depends on: (none) => 32674

Marja Van Waes 2023-12-31 18:26:51 CET

Depends on: (none) => 32675

Marja Van Waes 2023-12-31 18:36:57 CET

Depends on: (none) => 32676

Comment 4 Marja Van Waes 2023-12-31 18:46:07 CET 
(In reply to Nicolas Salguero from comment #0)
> That CVE was announced here:
> https://www.openwall.com/lists/oss-security/2023/12/18/3
> https://www.openwall.com/lists/oss-security/2023/12/19/5
> https://www.openwall.com/lists/oss-security/2023/12/20/3
> 
> Many SSH implementations that are packaged in Mageia are affected:

bug 32656  - dropbear (https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)
bug 32670 - erlang (Erlang ssh 5.1.1)
bug 32674  - golang-x-crypto (0.17.0)
bug 32660 - libssh (0.10.6 and 0.9.8)
bug 32662 - libssh2 (https://github.com/libssh2/libssh2/pull/1291)
bug 32671 - OpenSSH (9.6)
bug 32672  - putty (0.80)
bug 32673 - jsch (0.2.15)
bug 32644 - proftpd (open bug: https://github.com/proftpd/proftpd/issues/1760)
bug 32675 - apache-sshd
bug 32676 - trilead-ssh2

> 
> Other implementations are affected.  I did not find them into Mageia but
> maybe I missed them:

They still need to be checked. However, about this one:

>   - Apache Mina (open bug: https://github.com/apache/mina-sshd/issues/445)

I understand that is the same as appache-sshd, because, from a changelog mail:

Name        : apache-sshd                  Relocations: (not relocatable)
Version     : 2.8.0                             Vendor: Mageia.Org
Release     : 1.mga9                        Build Date: Wed 03 Aug 2022 12:39:12 AM CEST
Install Date: (not installed)               Build Host: localhost
Group       : Development/Java              Source RPM: (none)
Size        : 1634333                          License: ASL 2.0 and ISC
Signature   : (none)
Packager    : neoclust <neoclust>
URL         : http://mina.apache.org/sshd-project
Summary     : Apache SSHD
Comment 5 Marja Van Waes 2023-12-31 23:14:41 CET 
https://www.openwall.com/lists/oss-security/2023/12/20/3

Isn't rubygem-net-ssh our ruby-net-ssh?

CC'ing bcornec and pterjan, who were the last ones to push it.

CC: (none) => bruno, pterjan

Marja Van Waes 2024-01-02 11:54:04 CET

Depends on: (none) => 32682

Comment 6 Marja Van Waes 2024-01-02 11:56:12 CET 
(In reply to Marja Van Waes from comment #5)
> https://www.openwall.com/lists/oss-security/2023/12/20/3
> 
> Isn't rubygem-net-ssh our ruby-net-ssh?
> 

bug 32682 was filed for ruby-net-ssh
Nicolas Salguero 2024-01-19 16:12:02 CET

Blocks: (none) => 32748

Nicolas Salguero 2024-01-19 16:16:44 CET

Depends on: (none) => 32748
Blocks: 32748 => (none)

Comment 7 Nicolas Salguero 2024-01-19 16:17:59 CET 
bug 32748 was filed for filezilla