topic Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint in General Topics

Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Blason_R — Tue, 19 Dec 2023 13:43:22 GMT

Hi Team,

All of my CheckPoint firewalls have been scanned recently, and it appears that they are all displaying vulnerable hosts due to a recently disclosed vulnerability known as Terrapin. Though I patched my Linux hosts with Customized Ciphers but wondering how do I start with CheckPoint?

Any comment from CheckPoint staff?

https://terrapin-attack.com/

@PhoneBoy @Chris_Atkinson Terrapin attack

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

the_rock — Tue, 19 Dec 2023 14:10:43 GMT

This actually came out today

https://www.helpnetsecurity.com/2023/12/19/ssh-vulnerability-cve-2023-48795/

I searched for CVE and also Terrapin on support site, nothing so far, except link to your post.

Andy

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Bob_Zimmerman — Tue, 19 Dec 2023 14:44:34 GMT

This attack isn't terribly practical. It requires full control over a router or proxy in the path between client and server. The firewall itself could execute this attack on connections flowing through it. From the OpenSSH team:

While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection. The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity.

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Blason_R — Tue, 19 Dec 2023 15:06:47 GMT

Agree but since it has a cve given most of the vulnerability vendor by tomorrow wil be updated with the the relevant signatures and scan will start showing as vulnerable. Though currently modifying sshd_conf file and removing chacha plus etm Mac's mitigating the vulnerability

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

the_rock — Tue, 19 Dec 2023 15:13:27 GMT

I would agree with that, hope it gets addressed soon.

Andy

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Chris_Atkinson — Tue, 19 Dec 2023 16:00:57 GMT

I expect we are evaluating internally and will provide further details when able.

In the interim please open a case with TAC and loop in your local CP SE as relevant.

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

PhoneBoy — Tue, 19 Dec 2023 23:55:39 GMT

Per the FAQ provided on the site mentioned:

I am an admin, should I drop everything and fix this?

Probably not.

The attack requires an active Man-in-the-Middle attacker that can intercept and modify the connection's traffic at the TCP/IP layer. Additionally, we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection's encryption mode.

If you feel uncomfortable waiting for your SSH implementation to provide a patch, you can workaround this vulnerability by temporarily disabling the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.

That makes this issue less urgent to fix and something you can potentially mitigate:

Starting from R81.10, the relevant ciphers can be disabled via a clish command: https://support.checkpoint.com/results/sk/sk165685
For R80.40 and R81, the relevant ciphers can be disabled by editing sshd_config: https://support.checkpoint.com/results/sk/sk106031
This issue is not relevant in R80.30 and earlier since the relevant ciphers are not used.

Based on the public information available at current, this seems like the best course of action to take.
For an official response, refer to the TAC.

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

G_W_Albrecht — Wed, 20 Dec 2023 13:42:28 GMT

I just did that for training, it was easily done in clish:

enabled cipher: 
-------------------------------- 
aes128-cbc 
aes128-ctr 
aes128-gcm@openssh.com 
aes192-ctr 
aes256-ctr 
aes256-gcm@openssh.com 
chacha20-poly1305@openssh.com

set ssh server cipher chacha20-poly1305@openssh.com off

enabled cipher: 
-------------------------------- 
aes128-cbc 
aes128-ctr 
aes128-gcm@openssh.com 
aes192-ctr 
aes256-ctr 
aes256-gcm@openssh.com

enabled mac: 
-------------------------------- 
hmac-sha1 
hmac-sha1-etm@openssh.com 
hmac-sha2-256 
hmac-sha2-256-etm@openssh.com 
hmac-sha2-512 
hmac-sha2-512-etm@openssh.com 
umac-64-etm@openssh.com 
umac-64@openssh.com 
umac-128-etm@openssh.com 

set ssh server mac hmac-sha1-etm@openssh.com off
set ssh server mac hmac-sha2-256-etm@openssh.com off
set ssh server mac hmac-sha2-512-etm@openssh.com off
set ssh server mac umac-64-etm@openssh.com off
set ssh server mac umac-128-etm@openssh.com off

enabled mac: 
-------------------------------- 
hmac-sha1 
hmac-sha2-256 
hmac-sha2-512 
umac-64@openssh.com 
umac-128@openssh.com 
--------------------------------

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Blason_R — Wed, 20 Dec 2023 13:44:30 GMT

Right - I managed to mitigate around 50+ R81.10 and 5+ R80.40 since this morning 🙂

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

the_rock — Wed, 20 Dec 2023 13:58:45 GMT

Excellent!

Andy

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

_Val_ — Mon, 25 Dec 2023 09:54:13 GMT

The new SK is published to address the issue: https://support.checkpoint.com/results/sk/sk181833

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Blason_R — Mon, 25 Dec 2023 13:43:48 GMT

Thanks and thats great

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Raman_Arora — Tue, 02 Jan 2024 16:07:11 GMT

Hello Val,

Have followed the steps in SK, Qualys still reports the Vulnerability..

Before disabling Cipher - ChaCha20-Poly1305

RESULTS:
SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22
ChaCha20-Poly1305 Algorithm Support: True
CBC-EtM Algorithm Support: True
Strict Key Exchange algorithm enabled: False

After disabling Cipher - ChaCha20-Poly1305

RESULTS:
SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22
ChaCha20-Poly1305 Algorithm Support: False
CBC-EtM Algorithm Support: True
Strict Key Exchange algorithm enabled: False

Only piece what is shown under both results is CBC-EtM Algorithm Support is set as True. I know we did not disable anything else other than ChaCha20-Poly1305, but Qualys still reports its vulnerable and CBC-Etm Algo support is set as true.

Do you have any further insight?

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Blason_R — Tue, 02 Jan 2024 16:57:15 GMT

Yes disable that as well and it should be good. For R81.10 and R81.20 it has CBC-Etm

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

the_rock — Tue, 02 Jan 2024 17:03:36 GMT

@Blason_R is correct, I tested it on R81.20 and worked fine.

Best,

Andy

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Raman_Arora — Wed, 03 Jan 2024 08:24:57 GMT

great! Would you also please share how did you disable that?

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Martin_Valenta — Wed, 03 Jan 2024 08:32:12 GMT

Gaia Embedded not affected?

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Blason_R — Wed, 03 Jan 2024 08:34:04 GMT

I believe this should since all the SSH servers are vulnerable if those MACs and Ciphers are enabled.

https://terrapin-attack.com/#scanner

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Blason_R — Wed, 03 Jan 2024 08:36:25 GMT

Run below command and then we can confirm which can be disabled

show ssh server kex supported

show ssh server mac supported

Re: Terrapin Vulnerability - All Linux servers are vulnerable globally including CheckPoint

Raman_Arora — Wed, 03 Jan 2024 08:43:30 GMT

I tried this before, but 1st command is available on R81.20.. 2nd Command i also tried

Below is the output

xxx> show ssh server kex supported
CLINFR0329 Invalid command:'show ssh server kex supported'.
xxx> show ssh server mac supported
--------------------------------
supported mac:
--------------------------------
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
--------------------------------