1) /etc/ssh/zos_ssh_config CiphersSource ICSF This has nothing to do with the CVE, and I wouldn't use this. The default (CPACF) uses significantly less CPU than going through ICSF. Same goes for MACsSource
2. /etc/ssh/sshd_config Algorithms to exclude: Ciphers #remove the following: chacha20-poly1...@openssh.com Macs # remove the following: hmac-sha2-512-...@openssh.com hmac-sha2-256-...@openssh.com hmac-sha1-...@openssh.com <mailto:hmac-sha1-...@openssh.com> hmac-md5-...@openssh.com 3. You should do the same Cipher and MACs changes in /etc/ssh/ssh_config, otherwise you are only protecting SSHD connections from this MITM attack. FYI - information on configuring OpenSSH can be found here: https://coztoolkit.com/docs/pt-quick-inst/pto-inst-cpacf.html#pto-inst-cpacf-enable Kirk Wolf Dovetailed Technologies http:// <http://dovetail.com>coztoolkit.com On Thu, Jan 25, 2024, at 10:26 AM, Jousma, David wrote: > We were able to remediate the situation by the following ssh config changes. > Thanks to our invisible friend kekronbekron for pointing me to some > additional helpful information. > > > EDIT /etc/ssh/zos_ssh_config > > Command ===> > > ****** ***************************************** > > 000001 # set crypto options > > 000002 CiphersSource ICSF > > > > > > EDIT /etc/ssh/sshd_config > > Command ===> > > 000102 Subsystem sftp /usr/lib/ssh/sftp-server > > 000103 > > 000104 #set crypto options > > 000105 Ciphers > aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com<mailto:aes128-...@openssh.com>,aes256-...@openssh.com<mailto:aes256-...@openssh.com> > > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: Jousma, David <david.jou...@53.com> > Date: Thursday, January 25, 2024 at 9:04 AM > To: IBM-Main (ibm-main@listserv.ua.edu) <ibm-main@listserv.ua.edu> > Subject: New SSH vulnerability > Looks like a fairly new SSH vulnerability has surfaced…Anyone figure out a > local remediation for this yet? As per usual, IBM is mum. There is no > fixing PTF yet based on what I see in ResourceLink. > > > QID > > 38913 > > Severity > > HIGH > > Definition > > SSH Prefix Truncation Vulnerability (Terrapin) > > Description > > The Terrapin attack exploits weaknesses in the SSH transport layer protocol > in combination with newer cryptographic algorithms and encryption modes > introduced by OpenSSH over 10 years ago. Since then, these have been adopted > by a wide range of SSH implementations, therefore affecting a majority of > current implementations. > > > > > > QID Detection Logic (Unauthenticated): > > > > This detection attempts to start the SSH key exchange process and examines > whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM > Algorithm is active. It subsequently verifies whether Strict Key Exchange is > enabled. If a target is identified as vulnerable, it indicates that the > target supports either of the vulnerable algorithms and lacks support for > Strict Key Exchange. > > Solution > > Customers are advised to refer to the individual vendor advisory for their > operating system and install the patch released by the vendor. For more > information regarding the vulnerability, please refer to Terrapin > Vulnerability > > > > Patch: > > > > Following are links for downloading patches to fix the vulnerabilities: > > OpenWall Security Advisory > > Impact > > Successful exploitation of the vulnerability may allow an attacker to > downgrade the security of an SSH connection when using SSH extension > negotiation. The impact in practice heavily depends on the supported > extensions. Most commonly, this will impact the security of client > authentication when using an RSA public key. > > CVEs > > CVE-2023-48795 > > Results > > SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22 > > ChaCha20-Poly1305 Algorithm Support: True > > CBC-EtM Algorithm Support: False > > Strict Key Exchange algorithm enabled: False > > EVM Report > > Yes > > EVM Risk Score > > 4.9 > > Host Details > > Host > > 192.168.30.2 > > IP Address > > 192.168.30.2 > > Operating System > > IBM OS/390 > > Tier > > T3 > > FQDN > > > > Port > > 22 > > Protocol > > tcp > > > > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > > This e-mail transmission contains information that is confidential and may be > privileged. It is intended only for the addressee(s) named above. If you > receive this e-mail in error, please do not read, copy or disseminate it in > any manner. If you are not the intended recipient, any disclosure, copying, > distribution or use of the contents of this information is prohibited. Please > reply to the message immediately by informing the sender that the message was > misdirected. After replying, please erase it from your computer system. Your > assistance in correcting this error is appreciated. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
