I am currently traveling in mostly remote areas until sometime in April 2024. Consequently DM's sent to me will go unanswered during this time.
For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add
Fixes are already being implemented in repositories.
On Debian 12 when released it had OpenSSH server "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u1" - on this version Terrapin Scanner report is: "The scanned peer is VULNERABLE to Terrapin."
I updated OpenSSH server package and it now has "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2" - on this version Terrapin scanner reports: "The scanned peer supports Terrapin mitigations and can establish connections that are NOT VULNERABLE to Terrapin. Glad to see this. For strict key exchange to take effect, both peers must support it."
In short: update your Debian 12 OpenSSH server package as soon as possible.
EDIT: Debian 11 also has it updated and patched in its repositories.
"A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."
Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.
"A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."
Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.
Pinned nonetheless.
In Serbia, we don't say "better safe than sorry." We say "posle jebanja nema kajanja" and I think it's beautiful!
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member BikeGremlin's web-hosting reviews
"A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."
Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.
Overblown perhaps but I wouldn't call it FUD. SSH sessions are assumed secure and if they aren't it's not FUD.
"A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."
Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.
No. The big move of websites to https and tls certificates is partly due to skids taking over public wifi hotspots and executing AitM (I guess that is what we used to call MITM) attacks on the client connections. SSH isn't much different. The attack can be packaged into a script that the skids run. That is why they're called skids. They run scripts.
@terrorgen said: When did we start referring to MitM as AitM?
Just after we blacklisted word blacklist because racist.
Next thing we cancel the word "blacklist" because it depicts exclusion within an environment which should promote inclusion.
With all this cancel culture, we may end up in involution or some world war due to promoting cancellation of actually listening to one another. We might need a "man in the middle" to promote peace within an environment where people keep cancelling words and expressions from dictionary.
terrorgen
OG
Comments
Thanks for posting.
I am currently traveling in mostly remote areas until sometime in April 2024. Consequently DM's sent to me will go unanswered during this time.
For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add
Fixes are already being implemented in repositories.
On Debian 12 when released it had OpenSSH server "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u1" - on this version Terrapin Scanner report is: "The scanned peer is VULNERABLE to Terrapin."
I updated OpenSSH server package and it now has "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2" - on this version Terrapin scanner reports: "The scanned peer supports Terrapin mitigations and can establish connections that are NOT VULNERABLE to Terrapin. Glad to see this. For strict key exchange to take effect, both peers must support it."
In short: update your Debian 12 OpenSSH server package as soon as possible.
EDIT: Debian 11 also has it updated and patched in its repositories.
How are you... online?
sigh...note that there is a ext4 data corruption issue going around that suggests not updating
Can't find any update on my Debian 12. Did I miss something?
https://microlxc.net/
That one was already solved when they released 12.4.
FreeVPS.org - Grab a free VPS!
"...was developed by academic researchers from Ruhr University Bochum in Germany."
OVH be like...
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I just tested this on DietPi too (latest version). It is not patched on either OpenSSH or Dropbear.
How are you... online?
@FrankZ - this thread should be pinned. Members need to be aware of this vulnerability.
How are you... online?
As always FUD.
"A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange."
Imagine what resources this would require. This is not achievable via skid methods. Not relevant to low end world.
Pinned nonetheless.
In Serbia, we don't say "better safe than sorry." We say "posle jebanja nema kajanja" and I think it's beautiful!
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Status of Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795
OpenSSH is fixed.
Dropbear has not been fixed yet.
Overblown perhaps but I wouldn't call it FUD. SSH sessions are assumed secure and if they aren't it's not FUD.
No. The big move of websites to https and tls certificates is partly due to skids taking over public wifi hotspots and executing AitM (I guess that is what we used to call MITM) attacks on the client connections. SSH isn't much different. The attack can be packaged into a script that the skids run. That is why they're called skids. They run scripts.
When did we start referring to MitM as AitM?
Is it because of gender neutrality or MitM can have good intentions?
The all seeing eye sees everything...
Just after we blacklisted word blacklist because racist.
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
Next thing we cancel the word "blacklist" because it depicts exclusion within an environment which should promote inclusion.
With all this cancel culture, we may end up in involution or some world war due to promoting cancellation of actually listening to one another. We might need a "man in the middle" to promote peace within an environment where people keep cancelling words and expressions from dictionary.
How are you... online?
Clown world.
Asshole in the Middle? Still gender-neutral.
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.