[sshd security] terrapin CVE-2023-48795

[skull-squadron]

Important notices

• [*] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [*] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Environment

• DECISO 740 v1
• OPNsense 23.10.1 business

Summary

There is a new vulnerability when chacha20-poly1305 is enabled. (CVE)

Mitigations

1. Upgrade to OpenSSH portable 9.6+
2. OpenSSH portable <= 9.5 - Remove chacha20-poly1305@openssh.com from Ciphers

OPNsense-related

1. /usr/local/etc/ssh/sshd_config
   1. Templated by /usr/local/etc/inc/plugins.inc.d/openssh.inc / https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/openssh.inc
   2. ... with walues provided by configctl openssh query -> /usr/local/opnsense/scripts/openssh/ssh_query.py / https://github.com/opnsense/core/blob/master/src/opnsense/scripts/openssh/ssh_query.py
   3. ... triggered by running /usr/local/etc/rc.sshd (regenerate config only) or configctl openssh restart

Assessment tools

1. Official scanner
2. ssh-audit (using master)

Abridged sample of generated sshd_config

sshd_config

``` # This file was automatically generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc Port 22 Protocol 2 Compression yes ClientAliveInterval 30 UseDNS no X11Forwarding no PubkeyAuthentication yes Subsystem sftp internal-sftp AllowGroups wheel admins PermitRootLogin yes ChallengeResponseAuthentication no PasswordAuthentication no HostKey /conf/sshd/ssh_host_rsa_key HostKey /conf/sshd/ssh_host_ecdsa_key HostKey /conf/sshd/ssh_host_ed25519_key ListenAddress {{redacted}} ListenAddress {{redacted}} ListenAddress 127.0.0.1 ListenAddress ::1 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com KexAlgorithms diffie-hellman-group-exchange-sha256,curve25519-sha256,curve25519-sha256@libssh.org MACs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-rsa-cert-v01@openss h.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com ``` ^ Ciphers: `chacha20-poly1305@openssh.com` is the important bit

One-of assessment using ssh-audit

Audit output

``` # general (gen) banner: SSH-2.0-OpenSSH_9.3 FreeBSD-openssh-portable-9.3.p2_2,1 (gen) software: OpenSSH 9.3 running on FreeBSD (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 `- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 `- [info] default key exchange since OpenSSH 6.4 # host-key algorithms (key) ssh-rsa (8192-bit) -- [fail] using broken SHA-1 hash algorithm `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation `- [info] available since OpenSSH 6.5 `- [info] default cipher since OpenSSH 6.9 # message authentication code algorithms (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 # fingerprints (fin) ssh-ed25519: SHA256:{{redacted}} (fin) ssh-rsa: SHA256:{{redacted}} # algorithm recommendations (for OpenSSH 9.3) (rec) -ssh-rsa -- key algorithm to remove (rec) +diffie-hellman-group16-sha512 -- kex algorithm to append (rec) +diffie-hellman-group18-sha512 -- kex algorithm to append (rec) +rsa-sha2-256 -- key algorithm to append (rec) +rsa-sha2-512 -- key algorithm to append (rec) +sntrup761x25519-sha512@openssh.com -- kex algorithm to append (rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -umac-128@openssh.com -- mac algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: ```