Anyone has an idea of whether centos 7 is going to patch the openssh for CVE-2023-48795 Terrapin attacks?
I'd like to understand the timeframe to decide whether or not to apply manual upgrade to openssh.
Thanks in advance.
Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
In other words the impact of the issue is too low for Red Hat to allocate resources for fix for el7.
The maintenance support for RHEL 7 ends June 30, 2024 and therefore CentOS has EoL June 30, 2024.
Since there are only six months left, it would be smarter to shift to some other distro now than to hack CentOS 7.
The maintenance support for RHEL 7 ends June 30, 2024 and therefore CentOS has EoL June 30, 2024.
Since there are only six months left, it would be smarter to shift to some other distro now than to hack CentOS 7.
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
I am suspecting that there are still a number of large RH customers that still use EL7 and pay for the privilege so it would not suprise me too much if they backtrack on that once someone that pays them $$$$ says "Oi! RH, you wot?!"
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
Thanks TrevorH. It looks like a mitigation only. Wouldn't it be better to upgrade openssh to 9.6...
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
If you do a manual source build of a newer openssh and overwrite the existing install (while leaving the existing packages installed) then a new package update will overwrite some or all of the files you got from a source build. Not recommended. It would tell you that there was a new update though! Bit of a drastic way to find out.
If you do it right and create your own packages and install those then that won't happen but you also won't be told about any future security problems in openssh and will have to rely on being able to find out that an update to fix something horrible has been released so that you can rebuild your own packages with the updates. If you _must_ have an update to fix this then this is probably the best course. You could perhaps use EL8 or EL9 SRPMs and rebuild those using mock rather than going all out to $latest from openssh.org.
Or you can stick with the current packages and disable the suggested algo's and ciphers etc and be relatively safe. Personally I am not sure this CVE is one to get very worried about - yes, it's quite nasty but it needs quite specific conditions to be exploitable - mainly the use of a connection where someone else can MiTM you and intercept your packets on the way to and from the server.
If you do it right and create your own packages and install those then that won't happen but you also won't be told about any future security problems in openssh and will have to rely on being able to find out that an update to fix something horrible has been released so that you can rebuild your own packages with the updates. If you _must_ have an update to fix this then this is probably the best course. You could perhaps use EL8 or EL9 SRPMs and rebuild those using mock rather than going all out to $latest from openssh.org.
Or you can stick with the current packages and disable the suggested algo's and ciphers etc and be relatively safe. Personally I am not sure this CVE is one to get very worried about - yes, it's quite nasty but it needs quite specific conditions to be exploitable - mainly the use of a connection where someone else can MiTM you and intercept your packets on the way to and from the server.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
Thanks again TrevorH for your detailed explanation.
I agree that a manual source build would be really hard to maintain in the future.
For the migation you have suggested from RH (https://access.redhat.com/security/cve/cve-2023-48795), it looks like the crypto policy scripts are not available in EL7 offical repos. So, is it not offically supported?
I can see there's a 3rd party repo for it but not sure if it will cause other problems...
https://pkgs.org/download/crypto-policies
Any recommendation please?
Thanks in advance.
I agree that a manual source build would be really hard to maintain in the future.
For the migation you have suggested from RH (https://access.redhat.com/security/cve/cve-2023-48795), it looks like the crypto policy scripts are not available in EL7 offical repos. So, is it not offically supported?
I can see there's a 3rd party repo for it but not sure if it will cause other problems...
https://pkgs.org/download/crypto-policies
Any recommendation please?
Thanks in advance.
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
Hi TrevorH,
I have tried editing the sshd_config by setting the safe list of algo's and encryptions, and it looks like it's working fine now.
Thanks again!
I have tried editing the sshd_config by setting the safe list of algo's and encryptions, and it looks like it's working fine now.
Thanks again!
Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
IMHO, an install of EL8 or EL9 based distro is the "least effort" way to get supported ssh (and distro).
Yes, it has its own hurt, but that hurt is inevitable (Soon™).
Red Hat introduced central crypto policies in EL8. One tool offers (crypto bits of) config for multiple programs/services/systems:
• GnuTLS library (GnuTLS, SSL, TLS)
• OpenSSL library (OpenSSL, SSL, TLS)
• NSS library (NSS, SSL, TLS)
• OpenJDK (java-tls, SSL, TLS)
• Libkrb5 (krb5, kerberos)
• BIND (BIND, DNSSec)
• OpenSSH (OpenSSH, SSH)
• Libreswan (libreswan, IKE, IPSec)
• libssh (libssh, SSH)
For example, the sshd config in EL9 does contain:
Code: Select all
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config(The sshd in EL7 does not have the 'Include' keyword either.)