Start a Conversation

Unsolved

1 Rookie

 • 

1 Message

394

January 29th, 2024 14:10

CVE-2023-48795

Hello,

In our environment we have two isilon cluster with FW 9.5.0.6

Is there a fix for this article "SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)"?

Please let me know how to fix this issue.

best regards 

Alex

Moderator

 • 

8.5K Posts

January 29th, 2024 19:35

Hi,

Thanks for your question.

We are waiting on an update from the Engineering team. There is not a fix yet.

 

Let us know if you have any additional questions.

1 Message

February 1st, 2024 00:58

Any update?

We are also affected by this

Moderator

 • 

8.5K Posts

February 1st, 2024 13:47

I don’t see it listed in either of the updates released today. https://dell.to/3SpAoNm and https://dell.to/3SjDYIN You can check the latest here. https://dell.to/3SeOWiI

4 Posts

February 16th, 2024 17:24

I would recommend a support case be opened for this topic about how Dell plans to address this CVE.  ie.  The issue in this CVE is tied to specific ciphers that are used by OpenSSH.  Dell Support should be able to assist in disabling the problematic ciphers for ssh.

An acceptable workarount/mitigation might be to simply disable the problematic ciphers on the PowerScale so ssh clients can't use them when connecting to the PowerScale.

# isi_gconfig -t ssh-config | grep cipher

ciphers (char*) = aes192-ctr,aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

 

# isi_gconfig -t ssh-config ciphers=aes192-ctr,aes256-ctr,aes256-gcm@openssh.com

# isi_for_array -s killall -HUP sshd

 

Once the problemantic cipher is removed on the PowerScale a client can't use the given cipher to.

 

# ssh -c <Private data removed from public view. DELL Admin>

Unable to negotiate with 1<Private data removed from public view. DELL Admin>

Thanks,

Steve

#Iwork4Dell

(edited)

1 Message

February 20th, 2024 22:08

I am also seeing this CVE showing on our vulnerability reports. I opened an SR and the reply I received was this.

The update for the OpenSSH is in v9.6 of OpenSSH and is slated for our 9.8 release, hopefully coming out in the next few months.

Sadly this isn't something I can hold off for a few months. 

Thanks Steven 

1 Message

February 29th, 2024 16:26

Article Number: 000221558
https://www.dell.com/support/kbdoc/en-us/000221558/dsa-2024-021-idrac-8-and-idrac-9-security-update-for-cve-2023-48795
DSA-2024-021: iDRAC 8 and iDRAC 9 Security Update for CVE-2023-48795
Summary: Dell iDRAC 8 and Dell iDRAC 9 security update for an OpenSSH vulnerability.

No Events found!

Top