You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
orlandoletra opened this issue
Jan 12, 2024
· 1 comment
Assignees
Labels
1.77.3Version 1.77.3Multi SSHRelated to Multi SSHOpenSSHConnectivity tool for remote sign-in that uses the SSH protocolPuttySSHIssues related to the SSH protocolThird partyIssue related to other apps or tools
mRemote is used to extensively and due to the widespread adoption of affected ssh cipher modes, patching Terrapin (CVE-2023-48795) is notoriously difficult. To make matters worse, "strict kex" requires both peers, client and server, to support it in order to take effect. A wide variety of SSH implementations started adopting "strict kex" since public disclosure.
Expected Behavior
The ssh connector should implement the disabling by default of the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms. This should be enforced in the default configuration of your SSH client, and use unaffected algorithms like AES-GCM.
Current Behavior
There is no protection against Terrapin Attack (CVE-2023-48795)
Possible Solution
The SSH implementation should support by default an strict key exchange (maybe made optional also). Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker's capability to inject packets during the initial handshake.
I am writing to inform you of some vulnerabilities I have discovered in mRemoteNG. The vulnerabilities are as follows: CVE-2023-48795: General Protocol Flaw CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH CVE-2023-46446: Rogue Session Attack in AsyncSSH
These vulnerabilities are related to the Terrapin attack, which can be exploited to degrade the security of the SSH protocol. More details about the Terrapin attack can be found at the following link: https://terrapin-attack.com/index.html#paper.
I believe it is of utmost importance that these vulnerabilities be addressed as soon as possible to ensure the security of mRemoteNG users. I hope you can consider releasing a new version of mRemoteNG that addresses these issues.
Thank you in advance for your attention to this matter, and I am available to provide further information if necessary.
Your Environment
Version used:
Windows 11 H22 x64
The text was updated successfully, but these errors were encountered:
mRemoteNG leverages PuTTYng (a fork of Putty) to connect with SSH. I already requested a new build with #2489, while #2454 should address the general issue of updating the dependencies.
Once the new PuTTYng version is out, you may update manually by replacing the exe until a new mRemoteNG build is created.
1.77.3Version 1.77.3Multi SSHRelated to Multi SSHOpenSSHConnectivity tool for remote sign-in that uses the SSH protocolPuttySSHIssues related to the SSH protocolThird partyIssue related to other apps or tools
mRemote is used to extensively and due to the widespread adoption of affected ssh cipher modes, patching Terrapin (CVE-2023-48795) is notoriously difficult. To make matters worse, "strict kex" requires both peers, client and server, to support it in order to take effect. A wide variety of SSH implementations started adopting "strict kex" since public disclosure.
Expected Behavior
The ssh connector should implement the disabling by default of the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms. This should be enforced in the default configuration of your SSH client, and use unaffected algorithms like AES-GCM.
Current Behavior
There is no protection against Terrapin Attack (CVE-2023-48795)
Possible Solution
The SSH implementation should support by default an strict key exchange (maybe made optional also). Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker's capability to inject packets during the initial handshake.
Steps to Reproduce (for bugs)
Please refer to the code made to test the vulnerability:
https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.2
Context
I am writing to inform you of some vulnerabilities I have discovered in mRemoteNG. The vulnerabilities are as follows:
CVE-2023-48795: General Protocol Flaw
CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
CVE-2023-46446: Rogue Session Attack in AsyncSSH
These vulnerabilities are related to the Terrapin attack, which can be exploited to degrade the security of the SSH protocol. More details about the Terrapin attack can be found at the following link: https://terrapin-attack.com/index.html#paper.
I believe it is of utmost importance that these vulnerabilities be addressed as soon as possible to ensure the security of mRemoteNG users. I hope you can consider releasing a new version of mRemoteNG that addresses these issues.
Thank you in advance for your attention to this matter, and I am available to provide further information if necessary.
Your Environment
The text was updated successfully, but these errors were encountered: