Is CoreFTP SFTP Server vulnerable to Terrapin?

Report bugs or issues with Core FTP Server here
Locked
brunis
Posts: 9
Joined: Thu May 26, 2016 9:24 am

Is CoreFTP SFTP Server vulnerable to Terrapin?

Post by brunis »

Are the parts of Core SFTP Server that uses OpenSSH vulnerable to the Terrapin attack?
ForumAdmin
Site Admin
Posts: 987
Joined: Mon Mar 24, 2003 4:37 am

Re: Is CoreFTP SFTP Server vulnerable to Terrapin?

Post by ForumAdmin »

The Terrapin attack tool indicates ChaCha20 should be avoided. It is not available by default in Core FTP Server and needs to be added manually, so in most cases no action will be needed. If already added, then it should be removed under the "cipher algorithms" settings (SSH/SFTP - "..." in the domain setup).


For the MAC ETM part of the Terrapin attack, there are two options.

1) Go into the "cipher algorithms", "Add" the following:

AES128-CTR
AES192-CTR
AES256-CTR
AES128-CGM
AES256-CGM

AES-CGM ciphers are being touted as the preferred option by the team that reported the vulnerability - those can be added first if you like.


2) Make no changes to your cipher settings in step #1 (minus ChaCha20) go into the "MAC algorithms" settings and add any ciphers that don't have -etm in them. "sha1" is considered outdated but you may have legacy software that still needs it, if not, great time to not add it.



This vulnerability has been classifed as "medium" and it has not been confirmed whether or not Core FTP Server is affected. These settings should prevent attempts via the Terrapin attack.

Associated CVE details can be found under:
CVE-2023-48795
CVE-2023-46445
CVE-2023-46446
ForumAdmin
Site Admin
Posts: 987
Joined: Mon Mar 24, 2003 4:37 am

Re: Is CoreFTP SFTP Server vulnerable to Terrapin?

Post by ForumAdmin »

Update: Build 752 and greater removes -etm hmacs for any default settings.
Locked