Kiran
January 29, 2024, 7:07pm
1
Hi Experts, We are using Alma Linux 8.8 in our software, and we are seeing below vulnerability reported through Nessus Scan(Tenable)
Kindly let us know if there is any solution that you can suggest us to address/mask this vulnerability.
Thanks,
Kiran
The following Red Hat article has the details including mitigation:
https://access.redhat.com/security/cve/cve-2023-48795
Kiran
January 31, 2024, 4:57pm
3
Thank You.
Looks like this vulnerability is officially fixed now in openssh-8.0p1-19.el8_9.2.x86_64.rpm
Regards,
Kiran
Correct me if Im wrong, but from what you posted its clear that openssh 8.7p1-34
is not vulnerable? Im on this version.
Kiran
January 31, 2024, 5:38pm
5
As per the below links, I see it is fixed in openssh-8.0p1-19.el8_9.2.x86_64.rpm
https://access.redhat.com/security/cve/cve-2023-48795
https://access.redhat.com/errata/RHSA-2024:0606
You may run Nessus Scan (Tenable) in your environment and confirm the same.
1 Like
Hi, @wojciechxtx did you rerun the Nessus scan with openssh-8.0p1-19.el8_9.2.x86_64.rpm? Was the vulnerability reported for this version? please confirm
Thanks
@Gurpreet no I did not run it yet. I have it in my backlog
for today/tonight, so will post results here.
skynet
February 18, 2024, 3:55pm
9
I’m also on Alma 9, trying to figure out the fix for this. I see a fix published for Alma 8:
https://errata.almalinux.org/8/ALSA-2024-0606.html
but I haven’t seen it for Alma 9.
It appears that openssh 8.7p1-34.el9 was published in July https://almalinux.pkgs.org/9/almalinux-baseos-x86_64/openssh-8.7p1-34.el9.x86_64.rpm.html
which is before this CVE, so I assume it’s still not fixed in Alma 9?
@skynet have no idea about 8.7
version; Im on 9.6
(compiled from source by myself) and Terrapin
is no thing for me
skynet
February 18, 2024, 4:28pm
11
Ah ok, I was just going based on what you had installed in that screenshot. Maybe compiling from source is the way to go for now
1 Like
The screenshot was right at the time of writing. I have since updated OpenSSH
.
If you want not to be vulnerable to Terrapin
than answer is yes .
PS. Bear in mind that Im on physical server not desktop so there is huge need for my setup not to be vulnerable.
skynet
February 18, 2024, 9:27pm
13
Did a little more research and found what seems like the simplest solution here: security - How do you mitigate the Terrapin SSH attack? - Unix & Linux Stack Exchange
Add this file /etc/crypto-policies/policies/modules/TERRAPIN.pmod
:
cipher@ssh = -CHACHA20*
ssh_etm = 0
then run
update-crypto-policies --set DEFAULT:TERRAPIN
and reboot.
I went with this since I don’t need openssh 9.6 yet