What is an SSH Terr...
 
Notifications
Clear all

What is an SSH Terrapin attack?

11 Posts
5 Users
2 Reactions
809 Views
Brandon Lee
(@brandon-lee)
Posts: 554
Member Admin
Topic starter
 

The SSH Terrapin attack, known as CVE-2023-48795, is a serious security issue for the SSH protocol. It is a way an attacker can secretly intercept and alter the communication between the SSH server and client. It is a type of man-in-the-middle (MitM) attack.

Here’s a simpler breakdown of how it works:

  1. Manipulation of Communication: The attacker, positioned between the client (like your computer) and the server (the computer you're trying to securely connect to), tricks the client into thinking the server doesn't support the latest, more secure ways of verifying identity (known as signature algorithms). This is done by changing the messages passed between them.

  2. Security Downgrade: As a result the client and server end up using older, less secure methods without realizing that someone is eavesdropping on their connection.

  3. Technical Vulnerabilities Exploited: The attack targets weaknesses in how SSH sets up its secure connection. For instance, it takes advantage of the fact that SSH doesn’t always check every part of its initial handshake (the process where the client and server establish a secure connection) and doesn't properly track the sequence of messages.

  4. OpenSSH Versions Affected: This issue particularly affects certain versions of OpenSSH (a specific implementation of SSH) before version 9.6. OpenSSH is used in many systems, so a lot of users could be vulnerable to this attack.

https://thehackernews.com/2024/01/new-terrapin-flaw-could-let-attackers.html

 
Posted : 02/01/2024 11:49 pm
Brandon Lee
(@brandon-lee)
Posts: 554
Member Admin
Topic starter
 

Are any of you guys mass rolling out OpenSSH patches on Linux servers? What is your patching strategy for Linux? What tools are you using?

 
Posted : 02/01/2024 11:52 pm
(@termv)
Posts: 17
Eminent Member
 

The vulnerability can be exploited as long as either the client or the server is unpatched. The problem for sysadmins is that they don't necessarily have control over whether users are using vulnerable clients to connect to a patched server. It seems to me that it's necessary to disable ChaCha20-Poly1305 entirely in the SSH server's configuration rather than simply patch it server-side but leave it as the default cipher for broken clients to use.

I'm not seeing any guidance about this anywhere so perhaps my understanding is flawed.

 
Posted : 03/01/2024 10:29 am
Brandon Lee reacted
Brandon Lee
(@brandon-lee)
Posts: 554
Member Admin
Topic starter
 

@termv I am with you. It seems there are always unknowns at the outset of new vulnerabilities. What tools are you using for Linux patching professionally or home lab?

 
Posted : 03/01/2024 10:41 am
Brandon Lee
(@brandon-lee)
Posts: 554
Member Admin
Topic starter
 

@t3hbeowulf @malcolm-r @JNew1213 Curious what you guys are using professionally and in the home lab for updates, patching on both Windows and Linux. Always looking to learn about new tools and what others have found that works good.

 
Posted : 03/01/2024 10:46 am
JNew1213
(@jnew1213)
Posts: 25
Eminent Member
 

HOME

Windows: I've looked at a few options, but haven't rolled out anything. Possibly Lansweeper, but I haven't really given it any time yet.

Windows updates are done manually to servers that are in use all the time. Servers that are mostly powered off get updates the next time they're powered on.

Linux: I confess, there is no plan that's followed.

VMware Appliances (Photon): I try to keep current with the vCenter Server Appliance. Appliances that integrate with that: Log Insight, vSphere Replication (2 sites), SRM (2 sites), vROps, Runecast, etc., get less frequent updates. The mood has to strike, if you know what I mean. There's some flexibility between versions of vCenter Server and everything else.

ESXi: Pretty quick to update when a new patch comes out, but that's part of a few things that get updated at the same time. R750 gets booted and iDRAC, firmware, and ESXi get updated, VMs get vMotioned to it, then the R740 gets the same treatment, after which the VMs are vMotioned back. I still use baselines to do updates.

Veeam: The mood has to strike for that too. In fact, there has to be a full moon out, I need to hear the wolves howling, and if I see bats out my window, that pushes me along too. I have the next release downloaded for three weeks already and... well, SOON.

NASes: Synology packages are installed automatically. DSM updates are installed infrequently, as the NASes are always in use and, usually, some storage migration of VMs is necessary. I think my DS3615xs might have finally aged-out of being offered updates. My one TrueNAS Scale server gets updated when it's powered on. That's a media backup, so not critical. It spends most of its time powered off. Every time I touch that machine, something doesn't work the same way it did last time I used it.

Hmmm... I should add this to my runbook, which I am not making any progress with.

 

WORK

SCCM is used to patch Windows desktops, persistent VMs, and to build images used for Instant Clones (VDI). There's a dedicated team for that, and many thousands of clients. I have no idea how Linux machines/VMs are handled. That may be left to the individual owners of those machines.

The VMware Team handles vCenter Server and ESXi, as well as most associated software/plug-ins, etc., and vROps, CheckMK, and NetCool monitoring. Also CMDB, and a bunch of other things I am probably missing.

The VDI Team handles updates to Log Insight, Skyline, Runecast, VDI-related certificates, and a few other things.

There is another team that handles ControlUp monitoring, Monday.com board updates, and a few other things.

The Storage Team handles SAN and NAS.

There is a lot of interaction between the above teams, the AD Team, Networking Team, SCCM Team, and others. There are almost constant updates going on.

 
Posted : 03/01/2024 11:21 am
(@malcolm-r)
Posts: 64
Trusted Member
 

for home stuff, i patch everything manually when i feel like it. i just haven't had the desire to look into automation much. i tried using WSUS for Windows hosts for a while and it was a huge pain in the ass so i gave it up. that being said, i also have a Nessus scanner (their free version) scanning my most important assets.

for work... this is exactly my area. i help manage our vulnerability remediation solution. we use ServiceNow for tracking, ticketing, reporting, etc. we use Nessus/Tenable for scanning. when new vulnerabilities are found and brought into ServiceNow, we have rules that automatically assign them to the appropriate team. these teams get a certain amount of time to remediate the findings depending on the VPR score Tenable assigns them.

right now the Terrapin vuln is rated as a Medium, so teams have a bit longer to remediate than they would if it were a high/critical. the nice thing about VPR is that it evolves with the landscape. so in the future Tenable might upgrade it to a high/critical. in this case, we will automatically adjust the SLA period teams have to remediate and notify them.

we also take into accountCISA's Known Exploited Vulnerabilities catalog. this, as you may be able to tell by the name, lists vulns that are known to have been exploited. if we have any assets that are found to be vulnerable to any of these, we flag them and infosec will assess and act accordingly.

like @jnw1213 we are in a constant state of patching. you have to be these days.

 
Posted : 03/01/2024 12:13 pm
Brandon Lee
(@brandon-lee)
Posts: 554
Member Admin
Topic starter
 

@jnew1213 @malcolm-r Great insights there. I find that for home lab many don't really have a set tool or plan there. I am much the same way on that front as I am tearing things down and building back up so often that it doesn't make as much since. I will say I am moving more to a DevOpsy approach with Ansible and Semaphore running Linux updates. I also have a pipeline that keeps fresh VMware templates built and ready for new Linux servers spun up in the lab.

have you guys used PDQ inventory and deploy? This has been my goto for lab, but I do run an NFR license that isn't readily available for free. It is great for patching on the Windows side.

 
Posted : 03/01/2024 4:05 pm
JNew1213
(@jnew1213)
Posts: 25
Eminent Member
 

PDQ is another one I have to look at. Touched it many years and really gave it no time. I need to do the neadful.

I forgot to mention I have a brand-spanking-new WSUS server, but haven't taken the time to figure out how to use it. I don't have a detailed OU structure either, so that is something I think I need to work on. I basically have OUs for domain controllers, "servers," linked clones (not a thing any longer) and instant clones.

 
Posted : 03/01/2024 4:30 pm
Brandon Lee
(@brandon-lee)
Posts: 554
Member Admin
Topic starter
 

@jnew1213 yeah PDQ is a good one. They have kind of fallen behind the curve and playing catchup on the cloud side of things for devices without line of sight access to the PDQ server, but they are developing a cloud version as well. Yeah WSUS is really a pain. I have never enjoyed administering it when it fell under my responsibility. Just never seemed bulletproof, always things that seemed to keep it from working as expected.

 
Posted : 03/01/2024 5:08 pm
(@t3hbeowulf)
Posts: 27
Eminent Member
 

On the home front:

  • I let Windows hosts auto-update and occasionally manually update things as needed.
  • Linux hosts are currently manually updated but I do at least have it "partially scripted". I added an alias on every host I manage that lets me run `sysupdate` to pull updates, install everything available, auto-remove unnecessary packages and then clean up apt caches. (I run Debian-based distros on all hosts to remain consistent) I have dabbled with Ansible to running this process on an automated schedule but it is currently a "Future me" entry on my to-do list to finish setting that up

On the work front: 

There is an entirely separate department dedicated to patching systems and most of my (and our group's involvement) is alerting and cleaning up after their processes. 

  • AFAIK, Windows and Mac hosts are largely managed by Microsoft Defender (via Active Directory registration)
  • They also use IBM BigFix and JAMF for managing patches on Mac and Windows hosts and workstations. 
  • For Linux server hosts, those are largely managed with Ansible scripts run periodically through Azure DevOps pipelines.

There is an entirely separate department dedicated to scanning for vulnerabilities and managing security in general. I am not aware of every tool they use but I do know we use Wiz and Palo Alto Prisma for scanning images and containers. 

 
Posted : 05/01/2024 4:41 pm
malcolm.r reacted