ProHoster > Блог > ozi ịntanetị > Terrapin - adịghị ike na protocol SSH nke na-enye gị ohere ibelata nchebe njikọ

Terrapin - adịghị ike na protocol SSH nke na-enye gị ohere ibelata nchebe njikọ

Otu ndị nyocha sitere na Mahadum Ruhr dị na Bochum (Germany) gosipụtara usoro mbuso agha MITM ọhụrụ na SSH - Terrapin, nke na-erigbu adịghị ike (CVE-2023-48795) na protocol. Onye na-awakpo nwere ike ịhazi ọgụ MITM nwere ikike, n'oge usoro mkparịta ụka njikọ, igbochi izipu ozi site na ịhazi protocol extensions iji belata ọkwa nchebe njikọ. Ebipụtala ụdị ngwa ngwa ọgụ na GitHub.

N'ihe gbasara OpenSSH, adịghị ike, dịka ọmụmaatụ, na-enye gị ohere ịlaghachi njikọ ahụ iji jiri algọridim nyocha dị obere ma gbanyụọ nchebe megide mwakpo ọwa n'akụkụ na-emeghachi ntinye site na nyochaa nkwụsịtụ n'etiti igodo igodo na ahụigodo. N'ọbá akwụkwọ Python AsyncSSH, yana njikọta na adịghị ike (CVE-2023-46446) na mmejuputa igwe steeti dị n'ime, ọgụ Terrapin na-enye anyị ohere itinye onwe anyị na nnọkọ SSH.

Ọdịmma ahụ na-emetụta mmejuputa SSH niile na-akwado ChaCha20-Poly1305 ma ọ bụ CBC mode ciphers yana ngwakọta ETM (Encrypt-then-MAC). Dịka ọmụmaatụ, ikike ndị yiri ya dị na OpenSSH ihe karịrị afọ 10. Edobere adịghị ike ahụ na mwepụta OpenSSH 9.6 taa, yana mmelite na PuTTY 0.80, libssh 0.10.6/0.9.8 na AsyncSSH 2.14.2. Na Dropbear SSH, agbakwunyelarị ihe ndozi ahụ na koodu ahụ, mana ewepụtabeghị ntọhapụ ọhụrụ.

Ihe na-akpata adịghị ike a bụ na onye mwakpo nke na-achịkwa okporo ụzọ njikọ (dịka ọmụmaatụ, onye nwe ebe nnweta ikuku ọjọọ) nwere ike ịgbanwe ọnụọgụ usoro nke ngwugwu n'oge usoro mkparịta ụka njikọ ahụ wee nweta nhichapụ dị jụụ nke ọnụọgụ ozi ọrụ SSH nke onye ahịa ma ọ bụ onye ahịa zitere. ihe nkesaTinyere ihe ndị ọzọ, onye na-awakpo ahụ nwere ike iwepụ ozi SSH_MSG_EXT_INFO e ji hazie ndọtị protocol a na-eji. Iji gbochie akụkụ nke ọzọ ịchọpụta mfu ngwugwu n'ihi mmebi na ọnụọgụgụ usoro, onye na-awakpo ahụ, iji gbanwee nọmba usoro, na-amalite ngwugwu dummy nwere otu nọmba usoro dị ka ngwugwu a tụfuru. Ngwugwu dummy ahụ nwere ozi nwere ọkọlọtọ SSH_MSG_IGNORE, nke a na-eleghara anya n'oge nhazi.

Terrapin - adịghị ike na protocol SSH nke na-enye gị ohere ibelata nchebe njikọ

Enweghị ike ime mwakpo a site na iji ciphers iyi na CTR, ebe ọ bụ na a ga-achọpụta mmebi iwu n'ogo ngwa. Na omume, naanị ciphers nwere ike ibute mwakpo ahụ bụ ChaCha20-Poly1305 (chacha20-poly1305@openssh.com), nke egwu na-ekwu naanị site na nọmba usoro ozi, yana ngwakọta nke ọnọdụ Encrypt-Then-MAC (* -etm@openssh.com) na CBC ciphers.

Na OpenSSH 9.6 na mmejuputa ndị ọzọ, a na-etinye ndọtị protocol a na-akpọ "strict KEX" iji gbochie mwakpo ahụ, nke a na-arụ ọrụ na akpaghị aka ma ọ bụrụ na enwere nkwado n'akụkụ. ihe nkesa na onye ahịa. Mgbatị ahụ na-akwụsị njikọ ahụ mgbe enwetara ozi ọ bụla na-adịghị mma ma ọ bụ nke na-adịghị mkpa (dịka ọmụmaatụ, na ọkọlọtọ SSH_MSG_IGNORE ma ọ bụ SSH2_MSG_DEBUG) natara n'oge usoro mkparịta ụka njikọ ahụ, ma na-emegharịkwa ihe ndekọ MAC (Koodu Nyocha Ozi) mgbe emechara mgbanwe igodo ọ bụla.

isi: opennet.ru

Zụta nnabata ntụkwasị obi maka saịtị nwere nchekwa DDoS, sava VPS VDS 🔥 Zụta ebe nrụọrụ weebụ a pụrụ ịtụkwasị obi na nchekwa DDoS, sava VPS VDS | ProHoster