Data Domain: Vulnerability of CVE-2023-48795 (Terrapin)

CVE-2023-48795 (terrapin) vulnerability for OpenSSH was detected on the Data Domain appliance.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. Therefore, a client and server may end up with a connection for which some security features have been downgraded or disabled, a Terrapin attack.

This issue is addressed in below DDOS releases with the removal of the vulnerable Ciphers and MAC to remediate CVE-2023-48795

• Feature Release DDOS-8.0.0.0 to DDOS-8.3.0.0
• LTS DDOS-7.13.1.0 and above
• LTS DDOS-7.10.1.30 and above
• LTS DDOS-8.3.1.0 and above

Note:
1. If the OpenSSH configuration in the Data Domain system was previously customized, the affected Ciphers and MACs may persist even after upgrading to the remediated DDOS versions listed. Customers can follow the procedure below to manually remove these Ciphers and MACs if necessary.
2. Since these releases use an OpenSSH version earlier than 9.6, customer scanners may still flag CVE-2023-48795. However, this is a false positive because the vulnerable Ciphers and MACs are no longer in use.

Procedure: Remove cipher and Mac using cli example in
Data Domain: Deprecated SSH Cryptographic Settings QID 38739(login required)
by removing

1. SSH cipher - chacha20-poly1305@openssh.com
2. MACs - hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com

The final List is:

• Ciphers: aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
• Macs: hmac-sha2-256, hmac-sha2-512