Is CoreFTP SFTP Server vulnerable to Terrapin?
Is CoreFTP SFTP Server vulnerable to Terrapin?
Are the parts of Core SFTP Server that uses OpenSSH vulnerable to the Terrapin attack?
-
- Site Admin
- Posts: 984
- Joined: Mon Mar 24, 2003 4:37 am
Re: Is CoreFTP SFTP Server vulnerable to Terrapin?
The Terrapin attack tool indicates ChaCha20 should be avoided. It is not available by default in Core FTP Server and needs to be added manually, so in most cases no action will be needed. If already added, then it should be removed under the "cipher algorithms" settings (SSH/SFTP - "..." in the domain setup).
For the MAC ETM part of the Terrapin attack, there are two options.
1) Go into the "cipher algorithms", "Add" the following:
AES128-CTR
AES192-CTR
AES256-CTR
AES128-CGM
AES256-CGM
AES-CGM ciphers are being touted as the preferred option by the team that reported the vulnerability - those can be added first if you like.
2) Make no changes to your cipher settings in step #1 (minus ChaCha20) go into the "MAC algorithms" settings and add any ciphers that don't have -etm in them. "sha1" is considered outdated but you may have legacy software that still needs it, if not, great time to not add it.
This vulnerability has been classifed as "medium" and it has not been confirmed whether or not Core FTP Server is affected. These settings should prevent attempts via the Terrapin attack.
Associated CVE details can be found under:
CVE-2023-48795
CVE-2023-46445
CVE-2023-46446
For the MAC ETM part of the Terrapin attack, there are two options.
1) Go into the "cipher algorithms", "Add" the following:
AES128-CTR
AES192-CTR
AES256-CTR
AES128-CGM
AES256-CGM
AES-CGM ciphers are being touted as the preferred option by the team that reported the vulnerability - those can be added first if you like.
2) Make no changes to your cipher settings in step #1 (minus ChaCha20) go into the "MAC algorithms" settings and add any ciphers that don't have -etm in them. "sha1" is considered outdated but you may have legacy software that still needs it, if not, great time to not add it.
This vulnerability has been classifed as "medium" and it has not been confirmed whether or not Core FTP Server is affected. These settings should prevent attempts via the Terrapin attack.
Associated CVE details can be found under:
CVE-2023-48795
CVE-2023-46445
CVE-2023-46446
-
- Site Admin
- Posts: 984
- Joined: Mon Mar 24, 2003 4:37 am
Re: Is CoreFTP SFTP Server vulnerable to Terrapin?
Update: Build 752 and greater removes -etm hmacs for any default settings.