Comments

  • FrankZFrankZ Moderator

    Thanks for posting.

    Thanked by (1)terrorgen

    I am currently traveling in mostly remote areas until sometime in April 2024. Consequently DM's sent to me will go unanswered during this time.
    For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add

  • rootroot OG
    edited January 5

    Fixes are already being implemented in repositories.

    On Debian 12 when released it had OpenSSH server "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u1" - on this version Terrapin Scanner report is: "The scanned peer is VULNERABLE to Terrapin."

    I updated OpenSSH server package and it now has "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2" - on this version Terrapin scanner reports: "The scanned peer supports Terrapin mitigations and can establish connections that are NOT VULNERABLE to Terrapin. Glad to see this. For strict key exchange to take effect, both peers must support it."

    In short: update your Debian 12 OpenSSH server package as soon as possible.

    EDIT: Debian 11 also has it updated and patched in its repositories.

    Thanked by (1)host_c
  • havochavoc OGContent Writer

    sigh...note that there is a ext4 data corruption issue going around that suggests not updating

    Thanked by (1)bikegremlin
  • Can't find any update on my Debian 12. Did I miss something?

  • @havoc said:
    sigh...note that there is a ext4 data corruption issue going around that suggests not updating

    That one was already solved when they released 12.4.

    Thanked by (2)bikegremlin JeDaYoshi
  • bikegremlinbikegremlin ModeratorOGContent Writer

    "...was developed by academic researchers from Ruhr University Bochum in Germany."

    OVH be like...

    Thanked by (2)lapua someTom

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • I just tested this on DietPi too (latest version). It is not patched on either OpenSSH or Dropbear.

    Thanked by (1)MGarbis
  • @FrankZ - this thread should be pinned. Members need to be aware of this vulnerability.

    Thanked by (1)bikegremlin
  • As always FUD.

    "A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."

    Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @legendary said:
    As always FUD.

    "A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."

    Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.

    Pinned nonetheless.

    In Serbia, we don't say "better safe than sorry." We say "posle jebanja nema kajanja" and I think it's beautiful! :)

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • Status of Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795
    OpenSSH is fixed.
    Dropbear has not been fixed yet.

  • @legendary said:
    As always FUD.

    "A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."

    Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.

    Overblown perhaps but I wouldn't call it FUD. SSH sessions are assumed secure and if they aren't it's not FUD.

    Thanked by (1)bikegremlin
  • williewillie OG
    edited January 15

    @legendary said:
    As always FUD.

    "A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."

    Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.

    No. The big move of websites to https and tls certificates is partly due to skids taking over public wifi hotspots and executing AitM (I guess that is what we used to call MITM) attacks on the client connections. SSH isn't much different. The attack can be packaged into a script that the skids run. That is why they're called skids. They run scripts.

  • When did we start referring to MitM as AitM?
    Is it because of gender neutrality or MitM can have good intentions?

    Thanked by (1)bikegremlin

    The all seeing eye sees everything...

  • @terrorgen said: When did we start referring to MitM as AitM?

    Just after we blacklisted word blacklist because racist.

    Thanked by (3)chris FrankZ treesmokah

    Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
    https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png

  • @Jab said:

    @terrorgen said: When did we start referring to MitM as AitM?

    Just after we blacklisted word blacklist because racist.

    Next thing we cancel the word "blacklist" because it depicts exclusion within an environment which should promote inclusion.

    With all this cancel culture, we may end up in involution or some world war due to promoting cancellation of actually listening to one another. We might need a "man in the middle" to promote peace within an environment where people keep cancelling words and expressions from dictionary.

  • @Jab said:

    @terrorgen said: When did we start referring to MitM as AitM?

    Just after we blacklisted word blacklist because racist.

    Clown world.

  • @terrorgen said:
    When did we start referring to MitM as AitM?
    Is it because of gender neutrality or MitM can have good intentions?

    Asshole in the Middle? Still gender-neutral.

    Hey teamacc. You're a dick. (c) Jon Biloh, 2020.

Sign In or Register to comment.