Page 1 of 1

Is CoreFTP SFTP Server vulnerable to Terrapin?

Posted: Thu Jan 04, 2024 12:43 pm
by brunis
Are the parts of Core SFTP Server that uses OpenSSH vulnerable to the Terrapin attack?

Re: Is CoreFTP SFTP Server vulnerable to Terrapin?

Posted: Thu Jan 11, 2024 10:45 pm
by ForumAdmin
The Terrapin attack tool indicates ChaCha20 should be avoided. It is not available by default in Core FTP Server and needs to be added manually, so in most cases no action will be needed. If already added, then it should be removed under the "cipher algorithms" settings (SSH/SFTP - "..." in the domain setup).


For the MAC ETM part of the Terrapin attack, there are two options.

1) Go into the "cipher algorithms", "Add" the following:

AES128-CTR
AES192-CTR
AES256-CTR
AES128-CGM
AES256-CGM

AES-CGM ciphers are being touted as the preferred option by the team that reported the vulnerability - those can be added first if you like.


2) Make no changes to your cipher settings in step #1 (minus ChaCha20) go into the "MAC algorithms" settings and add any ciphers that don't have -etm in them. "sha1" is considered outdated but you may have legacy software that still needs it, if not, great time to not add it.



This vulnerability has been classifed as "medium" and it has not been confirmed whether or not Core FTP Server is affected. These settings should prevent attempts via the Terrapin attack.

Associated CVE details can be found under:
CVE-2023-48795
CVE-2023-46445
CVE-2023-46446

Re: Is CoreFTP SFTP Server vulnerable to Terrapin?

Posted: Wed Feb 07, 2024 11:34 pm
by ForumAdmin
Update: Build 752 and greater removes -etm hmacs for any default settings.