Merge pull request #31 from adciu/master

Added OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks

docs/OSGSecurityAnnouncements.md

@@ -1,6 +1,6 @@
-
 | Date        | Title                                                 | Contents/Link       |   Risk        |
 |-------------|-------------------------------------------------------|---------------------|---------------|
+| 2024-01-09  | HIGH SSH vulnerability exploitable in Terrapin attack | [OSG-SEC-2024-01-08](./OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md) |     |
 | 2023-10-11  | HIGH Severity GNU C Library Privilege Escalation | [OSG-SEC-2023-10-09](./vulns/OSG-SEC-2023-10-09.md) |     |
 | 2023-09-26  | CRITICAL PMIx race condition vulnerability affecting Slurm | [OSG-SEC-2023-09-26](./vulns/OSG-SEC-2023-09-26.md) |     |
 | 2023-09-25  | HIGH Multiple Linux Kernel Vulnerabilities | [OSG-SEC-2023-09-25](./vulns/OSG-SEC-2023-09-25.md) |     |

docs/vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md

@@ -0,0 +1,41 @@
+# OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks
+
+Dear OSG Security Contacts,
+
+A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure in OpenSSH 9.5 against keystroke timing attacks.
+
+## IMPACTED VERSIONS:
+
+Multiple versions of SSH, including AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others.
+
+## WHAT ARE THE VULNERABILITIES:
+
+Although the attack is cryptographically innovative, its security impact is limited. It only allows the deletion of consecutive messages, and deleting most messages at this protocol stage prevents user authentication from proceeding, leading to a stalled connection.
+The most significant identified impact is that it enables a man in the middle to delete the SSH2_MSG_EXT_INFO message sent before authentication begins. This allows the attacker to disable a subset of keystroke timing obfuscation features. However, there is no other observable impact on session secrecy or session integrity.
+## WHAT YOU SHOULD DO:
+
+Upgrade to secure packages as they become available.
+
+## REFERENCES
+[1] Red Hat Errata
+https://access.redhat.com/security/cve/cve-2023-48795 
+[2] SSH vulnerability exploitable in Terrapin attacks (CVE-2023-48795)
+https://www.helpnetsecurity.com/2023/12/19/ssh-vulnerability-cve-2023-48795/ 
+[3] OpenSSH package version
+https://www.openssh.com/txt/release-9.6 
+[4] LibSSH package version
+https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/ 
+[5] ASyncSSH package version
+https://asyncssh.readthedocs.io/en/latest/changes.html#release-2-14-2-18-dec-2023
+[6] PuTTY
+https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terrapin.html 
+[7] Transmit
+https://help.panic.com/releasenotes/transmit5/#5104 
+[8] SUSE
+https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/v 
+[9] Ubuntu
+https://ubuntu.com/security/notices/USN-6560-1 
+
+Please contact the OSG security team at [email protected] if you have any questions or concerns.
+
+OSG Security Team

mkdocs.yml

@@ -12,6 +12,7 @@ nav:
   - Overview: 'OSGSecurityAnnouncements.md'
   - Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
 - Announcement Details:
+    - OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks: './vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md'
     - OSG-SEC-2023-09-26 CRITICAL PMIx race condition vulnerability affecting Slurm: './vulns/OSG-SEC-2023-09-26.md'
     - OSG-SEC-2023-09-25 HIGH Multiple Linux Kernel Vulnerabilities: './vulns/OSG-SEC-2023-09-25.md'
     - OSG-SEC-2023-08-01 MEDIUM OpenJDK TLS vulnerability: './vulns/OSG-SEC-2023-08-01.md'