tickets #152761
closedTerrapin attack vulnerable ssh services exposed to internet
0%
Description
Hi,
following up via email to ticket opened here:
https://progress.opensuse.org/issues/152759
today we discovered that the ssh services exposed on
provo-mirror.opensuse.org (91.193.113.70)
status2.opensuse.org (91.193.113.72)
are vulnerable to the Terrapin attack (https://terrapin-attack.com). See
below output.
Please network filter those ports (and other ssh services you may have
under different ports) to have access only from the static IPs of the
admins.
As a workaround if admins don't have a static IP, they could use a jump
host or the filter could be widened e.g. to their ISP ASN.
mdaltin@linux-x1fm:~/go/bin> ./Terrapin-Scanner -connect 91.193.113.72¶
==================================== Report¶
================================================================================
Remote Banner: SSH-2.0-OpenSSH_8.4
ChaCha20-Poly1305 support: true
CBC-EtM support: false
Strict key exchange support: false
==> The scanned peer is VULNERABLE to Terrapin.
Note: This tool is provided as is, with no warranty whatsoever. It
determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict
key
exchange.
For more details visit our website available at https://terrapin-attack.com
mdaltin@linux-x1fm:~/go/bin> ./Terrapin-Scanner -connect 91.193.113.210¶
==================================== Report¶
================================================================================
Remote Banner: SSH-2.0-OpenSSH_7.9
ChaCha20-Poly1305 support: true
CBC-EtM support: false
Strict key exchange support: false
==> The scanned peer is VULNERABLE to Terrapin.
Note: This tool is provided as is, with no warranty whatsoever. It
determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict
key
exchange.
For more details visit our website available at https://terrapin-attack.com
Updated by crameleon 5 months ago
- Tags set to security
- Category set to Core services and virtual infrastructure
- Status changed from New to Resolved
- Assignee set to crameleon
- Private changed from Yes to No
Copying my reply from https://progress.opensuse.org/issues/152759:
Hi,
thank you very much for the report.
These exposed SSH ports are definitely not correct, shell access is only permitted through our internal network.
I corrected this misconfiguration now.
Best,
Georg