CVE-2023-48795 Information
Share on:Description
The SSH transport protocol with certain OpenSSH extensions found in OpenSSH before 9.6 and other products allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message) and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP) implemented by these extensions mishandles the handshake phase and mishandles use of sequence numbers. For example there is an effective attack against SSH’s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT Dropbear through 2022.83 Ssh before 5.1.1 in Erlang/OTP PuTTY before 0.80 AsyncSSH before 2.14.2 and golang.org/x/crypto before 0.17.0; and there could be effects on Bitvise SSH through 9.31 and libssh through 0.10.5.
Reference
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html https://matt.ucc.asn.au/dropbear/CHANGES https://www.openssh.com/openbsd.html https://github.com/openssh/openssh-portable/commits/master https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ https://www.bitvise.com/ssh-server-version-history https://github.com/ronf/asyncssh/tags https://gitlab.com/libssh/libssh-mirror/-/tags https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 https://www.openssh.com/txt/release-9.6 https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ https://www.terrapin-attack.com https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst https://thorntech.com/cve-2023-48795-and-sftp-gateway/ https://github.com/warp-tech/russh/releases/tag/v0.40.2 https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 https://www.openwall.com/lists/oss-security/2023/12/18/2 https://twitter.com/TrueSkrillor/status/1736774389725565005 https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d https://github.com/paramiko/paramiko/issues/2337 https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg https://news.ycombinator.com/item?id=38684904 https://news.ycombinator.com/item?id=38685286 http://www.openwall.com/lists/oss-security/2023/12/18/3