Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terrapin Attack #2552

Open
orlandoletra opened this issue Jan 12, 2024 · 1 comment
Open

Terrapin Attack #2552

orlandoletra opened this issue Jan 12, 2024 · 1 comment
Assignees
@Kvarkas
Labels
1.77.3 Version 1.77.3 Multi SSH Related to Multi SSH OpenSSH Connectivity tool for remote sign-in that uses the SSH protocol Putty SSH Issues related to the SSH protocol Third party Issue related to other apps or tools

Comments

@orlandoletra
Copy link

mRemote is used to extensively and due to the widespread adoption of affected ssh cipher modes, patching Terrapin (CVE-2023-48795) is notoriously difficult. To make matters worse, "strict kex" requires both peers, client and server, to support it in order to take effect. A wide variety of SSH implementations started adopting "strict kex" since public disclosure.

Expected Behavior

The ssh connector should implement the disabling by default of the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms. This should be enforced in the default configuration of your SSH client, and use unaffected algorithms like AES-GCM.

Current Behavior

There is no protection against Terrapin Attack (CVE-2023-48795)

Possible Solution

The SSH implementation should support by default an strict key exchange (maybe made optional also). Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker's capability to inject packets during the initial handshake.

Steps to Reproduce (for bugs)

Please refer to the code made to test the vulnerability:
https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.2

Context

I am writing to inform you of some vulnerabilities I have discovered in mRemoteNG. The vulnerabilities are as follows:
CVE-2023-48795: General Protocol Flaw
CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
CVE-2023-46446: Rogue Session Attack in AsyncSSH
These vulnerabilities are related to the Terrapin attack, which can be exploited to degrade the security of the SSH protocol. More details about the Terrapin attack can be found at the following link: https://terrapin-attack.com/index.html#paper.
I believe it is of utmost importance that these vulnerabilities be addressed as soon as possible to ensure the security of mRemoteNG users. I hope you can consider releasing a new version of mRemoteNG that addresses these issues.
Thank you in advance for your attention to this matter, and I am available to provide further information if necessary.

Your Environment

  • Version used:
  • Windows 11 H22 x64
@simonai1254
Copy link
Contributor

Hi

mRemoteNG leverages PuTTYng (a fork of Putty) to connect with SSH. I already requested a new build with #2489, while #2454 should address the general issue of updating the dependencies.
Once the new PuTTYng version is out, you may update manually by replacing the exe until a new mRemoteNG build is created.

Regards

@Kvarkas Kvarkas added SSH Issues related to the SSH protocol Third party Issue related to other apps or tools Putty Multi SSH Related to Multi SSH 1.77.3 Version 1.77.3 OpenSSH Connectivity tool for remote sign-in that uses the SSH protocol labels Jan 12, 2024
@Kvarkas Kvarkas self-assigned this Jan 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kvarkas Kvarkas

Labels
1.77.3 Version 1.77.3 Multi SSH Related to Multi SSH OpenSSH Connectivity tool for remote sign-in that uses the SSH protocol Putty SSH Issues related to the SSH protocol Third party Issue related to other apps or tools
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Kvarkas @simonai1254 @orlandoletra