jtesta
commented
11 months ago I just checked in a test for this vulnerability into the master branch.
@BernhardGruen : thanks for reporting!
Closed BernhardGruen closed 11 months ago
jtesta
commented
11 months ago I just checked in a test for this vulnerability into the master branch.
@BernhardGruen : thanks for reporting!
keteague
commented
11 months ago jtesta, thanks for the fast addition.
The Hardening guide needs to be updated to remove chacha20-poly1305@openssh.com, that is - if removal of that cipher is the suggested solution for the time being.
There is a new attack - called terrapin (https://terrapin-attack.com/#scanner). It seems the default cipher chacha20-poly1305@openssh.com and (CBC ciphers too) are a good starting point for the attack.
There is also a scanner available for that specific issue: https://github.com/RUB-NDS/Terrapin-Scanner/releases
Maybe at some point in the future it would be a nice addition to have that scanner integrated into ssh-audit.