SSH Terrapin on CentOS and Rocky Linux

Photo by Ray Hennessy on Unsplash

So a vulnerability in SSH code name Terrapin. https://access.redhat.com/security/cve/cve-2023-48795

So right now Rocky 8 has patches. Unlike Alma Linux they they didn’t get marked as security patches. Normally I get alerted and apply security patches. So I need to update some packages on these machines. I will do that using puppet.

Rocky 9 curiously has not got updated yet, just the mitigation is available. This is dragging on so I might apply this mitigation.

CentOS 7 doesn’t look like it is going to get a fix so I will apply this mitigation with ansible.

Rocky 8 Update with Puppet

/usr/local/bin/pdk new module  uhterrapin
cd uhterrapin
/usr/local/bin/pdk new class  uhterrapin
cd manifests/
vi init.pp
cd ..
/usr/local/bin/pdk validate

And in the init.pp file:

class uhterrapin {
  $enhancers = ['openssh', 'openssh-server', 'openssh-clients']
  package { $enhancers:
    ensure => 'latest',
  }
}

So I attach that class to my host groups and it updates those 3 packages. I remove them later.

Rocky 9 Mitigation

cd /etc/crypto-policies/policies/modules
cat  <<! > TERRAPIN.pmod
cipher@ssh = -CHACHA20*
ssh_etm = 0
!
update-crypto-policies --set DEFAULT:TERRAPIN
systemctl restart sshd

CentOS 7 Mitigation by Ansible

- name: "centos7 terrapin"
  hosts: testhost
  become: true
  tasks:

   - name: change the ciphers line in sshd_config
     ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       backup: True
       state: present
       regexp: '^[cC]iphers'
       insertbefore: BOF
       line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com'
     when: ansible_facts['distribution'] == 'CentOS' and ansible_distribution_major_version == '7'                                   


   - name: change the macs line in sshd_config
     ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       backup: True
       state: present
       regexp: '^[mM]acs'
       insertbefore: BOF
       line: 'MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512'
     when: ansible_facts['distribution'] == 'CentOS' and ansible_distribution_major_version == '7'                                   


   - name: document this
     ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       backup: True
       state: present
       insertbefore: BOF
       line: '# MACS and Ciphers set for TERRAPIN Centos 7'
     when: ansible_facts['distribution'] == 'CentOS' and ansible_distribution_major_version == '7'                                   


   - name: restart sshd
     ansible.builtin.service:
       service: sshd
       state: restarted

CentOS 7 Mitigation by script

ciphers_line='Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com'
if egrep -i "^ciphers" /etc/ssh/sshd_config >/dev/null
then
  sed -i.ciphers "s/^ciphers.*/$ciphers_line/" /etc/ssh/sshd_config
else
  sed -i.ciphers "2i $ciphers_line" /etc/ssh/sshd_config
fi

macs_line='MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512'

if egrep -i "^MACs" /etc/ssh/sshd_config >/dev/null
then
  sed -i.macs "s/^MACs.*/$macs_line/" /etc/ssh/sshd_config
else
  sed -i.macs "3i $macs_line" /etc/ssh/sshd_config
fi

So not very exciting but such is my life. But these get marked as Qualys Severity level “4” which is high and quite frankly a little exaggerated. So to please the cyber security team, I have applied this mitigations and patches.