安全公告/【CVE-2023-48795】

基本信息

漏洞描述

带有某些 OpenSSH 扩展的 SSH 传输协议（在 OpenSSH 9.6 之前的版本和其他产品中发现）允许远程攻击者绕过完整性检查，从而省略某些数据包（从扩展协商消息中），因此客户端和服务器可能最终建立一些安全功能已降级或禁用的连接，也称为 Terrapin 攻击。发生这种情况的原因是，这些扩展实现的 SSH 二进制数据包协议 (BPP) 错误处理了握手阶段并错误处理了序列号的使用。例如，有一种针对 SSH 使用 ChaCha20-Poly1305（以及使用 Encrypt-then-MAC 的 CBC）的有效攻击。绕过发生在 chacha20-poly1305@openssh.com 和（如果使用 CBC） -etm@openssh.com MAC 算法中。这也会影响 3.1.0-SNAPSHOT 之前的 Maverick Synergy Java SSH API、2022.83 之前的 Dropbear、Erlang/OTP 中 5.1.1 之前的 Ssh、0.80 之前的 PuTTY、2.14.2 之前的 AsyncSSH、0.17.0 之前的 golang.org/x/crypto、0.10.6 之前的 libssh、1.11.0 之前的 libssh2、3.4.6 之前的 Thorn Tech SFTP Gateway、5.1 之前的 Tera Term、3.4.0 之前的 Paramiko、0.2.15 之前的 jsch、2.5.6 之前的 SFTPGo、23.09.1 之前的 Netgate pfSense Plus、2.7.2 之前的 Netgate pfSense CE、18.2.0 之前的 HPN-SSH、1.3.8b 之前的 ProFTPD（和 1.3.9rc2 之前）和 ORYX CycloneSSH 2.3.4 之前、NetSarang XShell 7 Build 0144 之前、CrushFTP 10.6.0 之前、ConnectBot SSH 库 2.2.22 之前、Apache MINA sshd 至 2.11.0、sshj 至 0.37.0、TinySSH 至 20230101、trilead-ssh2 6401、LANCOM LCOS 和 LANconfig、FileZilla 3.66.4 之前、Nova 11.8 之前、PKIX-SSH 14.4 之前、SecureCRT 9.4.3 之前、Transmit5 5.10.4 之前、Win32-OpenSSH 9.5.0.0p1-Beta 之前、WinSCP 6.2.2 之前、Bitvise SSH Server 9.32 之前、Bitvise SSH Client 9.33 之前、KiTTY 至0.76.1.13、Ruby 的 net-ssh gem 7.2.0、Node.js 的 1.15.0 之前的 mscdex ssh2 模块、Rust 的 0.35.1 之前的 thrussh 库以及 Rust 的 0.40.2 之前的 Russh 板条箱。

修复方式

软件包升级
rpm -ivh libssh-0.9.4-5.rf01.zkhq8

补丁

厂商补丁: 目前厂商已发布升级补丁以修复漏洞，补丁获取链接: https://www.openssh.com/openbsd.html

参考

https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html;https://matt.ucc.asn.au/dropbear/CHANGES;https://www.openssh.com/openbsd.html;https://github.com/openssh/openssh-portable/commits/master;https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ;https://www.bitvise.com/ssh-server-version-history;https://github.com/ronf/asyncssh/tags;https://gitlab.com/libssh/libssh-mirror/-/tags;https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/;https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42;https://www.openssh.com/txt/release-9.6;https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/;https://www.terrapin-attack.com;https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25;https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst;https://thorntech.com/cve-2023-48795-and-sftp-gateway/;https://github.com/warp-tech/russh/releases/tag/v0.40.2;https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0;https://www.openwall.com/lists/oss-security/2023/12/18/2;https://twitter.com/TrueSkrillor/status/1736774389725565005;https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d;https://github.com/paramiko/paramiko/issues/2337;https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg;https://news.ycombinator.com/item?id=38684904;https://news.ycombinator.com/item?id=38685286;http://www.openwall.com/lists/oss-security/2023/12/18/3;https://github.com/mwiede/jsch/issues/457;https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6;https://github.com/erlang/otp/releases/tag/OTP-26.2.1;https://github.com/advisories/GHSA-45x7-px36-x8w8;https://security-tracker.debian.org/tracker/source-package/libssh2;https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg;https://security-tracker.debian.org/tracker/CVE-2023-48795;https://bugzilla.suse.com/show_bug.cgi?id=1217950;https://bugzilla.redhat.com/show_bug.cgi?id=2254210;https://bugs.gentoo.org/920280;https://ubuntu.com/security/CVE-2023-48795;https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/;https://access.redhat.com/security/cve/cve-2023-48795;https://github.com/mwiede/jsch/pull/461;https://github.com/drakkan/sftpgo/releases/tag/v2.5.6;https://github.com/libssh2/libssh2/pull/1291;https://forum.netgate.com/topic/184941/terrapin-ssh-attack;https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5;https://github.com/rapier1/hpn-ssh/releases;https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES;https://www.netsarang.com/en/xshell-update-history/;https://www.paramiko.org/changelog.html;https://github.com/proftpd/proftpd/issues/456;https://github.com/TeraTermProject/teraterm/releases/tag/v5.1;https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15;https://oryx-embedded.com/download/#changelog;https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update;https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22;https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab;https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3;https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC;https://crates.io/crates/thrussh/versions;https://github.com/NixOS/nixpkgs/pull/275249;http://www.openwall.com/lists/oss-security/2023/12/19/5;https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc;https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/;http://www.openwall.com/lists/oss-security/2023/12/20/3;https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES;https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES;https://github.com/apache/mina-sshd/issues/445;https://github.com/hierynomus/sshj/issues/916;https://github.com/janmojzis/tinyssh/issues/81;https://www.openwall.com/lists/oss-security/2023/12/20/3;https://security-tracker.debian.org/tracker/source-package/trilead-ssh2;https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16;http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/;https://www.debian.org/security/2023/dsa-5586;https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508;https://www.theregister.com/2023/12/20/terrapin_attack_ssh;https://filezilla-project.org/versions.php;https://nova.app/releases/#v11.8;https://roumenpetrov.info/secsh/#news20231220;https://www.vandyke.com/products/securecrt/history.txt;https://help.panic.com/releasenotes/transmit5/;https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta;https://github.com/PowerShell/Win32-OpenSSH/issues/2189;https://winscp.net/eng/docs/history#6.2.2;https://www.bitvise.com/ssh-client-version-history#933;https://github.com/cyd01/KiTTY/issues/520;https://www.debian.org/security/2023/dsa-5588;https://github.com/ssh-mitm/ssh-mitm/issues/165;https://news.ycombinator.com/item?id=38732005;https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html;https://security.gentoo.org/glsa/202312-16;https://security.gentoo.org/glsa/202312-17;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/;https://security.netapp.com/advisory/ntap-20240105-0004/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/;https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/;https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html;https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/;https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/;https://support.apple.com/kb/HT214084;http://seclists.org/fulldisclosure/2024/Mar/21;https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html;http://www.openwall.com/lists/oss-security/2024/04/17/8;http://www.openwall.com/lists/oss-security/2024/03/06/3