Skip to main content
Skip table of contents

ISN 2023-39: SSH Terrapin Vulnerability

First published 5 February 2024

CVSS 3.1: 5.9 (Medium)

CVSS:3.1/AV:N/AC:H/PR:N/S:U/C:N/I:H/A:N

Summary

A security vulnerability has been discovered in secure shell (SSH), which is used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12
  • IGEL OS 11

Details

A vulnerability has been found in the SSH protocol that weakens the secure channel, so that messages could be removed during transmission.

However, an attack is only possible if the attacker can man-in-the-middle the SSH traffic and if the connection uses either ChaCha20-Poly1305 or a CBC cipher with Encrypt-then-MAC (CVE-2023-48795).
This is why this vulnerability is rated as medium.

It affects the OpenSSH server as well as the client.

Mitigation

OS 12 

  • The OpenSSH server in OS 12 is not activated by default. SSH is not necessary for managing IGEL OS, so unless you have another use case you can leave it deactivated.
  • If you use OS 12 base system version 12.3.1, you have the latest OpenSSH 9.6p1. When you use this version or newer on the peer, they will automatically use the new "strict KEX" protocol extension.

OS 11

  • The OpenSSH server in OS 11 is active by default, but SSH is not necessary for managing IGEL OS. Unless you have another use case, deactivate it.
  • If you use IGEL OS 11.09.210, you have the latest OpenSSH 9.6p1. When you use this version or newer on the peer, they will automatically use the new "strict KEX" protocol extension.

Update Instructions

  • OS 12: Update to OS 12 base system version 12.3.1 or newer, which has OpenSSH version 9.6p1.
  • OS 11: Update to IGEL OS version 11.09.210 or newer, which has OpenSSH version 9.6p1.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.