Bug 558 - Apply mitigation on CVE-2023-48795
Review Request #286 — Created June 14, 2024 and submitted
| Information | |
|---|---|
| luhsuan | |
| APV10 | |
| rel_apv_10_7 | |
| 558 | |
| Reviewers | |
| jasonchou, milliechou, timlai, weikai | |
As it needs a lot of re-working to eliminate CVE-2023-48795.
We instead apply a mitigation to address CVE-2023-48795 by disabling the following encryptions and MACs by default:
- Encryption
chacha20-poly1305@openssh.com
- MAC
- the MACs with
-etm@openssh.comsuffix.
- the MACs with
For more information, you may find on this NIST report.
- Nexus vulnerability scanning
- PASSED (report by @timlai).
- connection test with specified encryption (
ssh <server name> -c <encryption>)- PASSED (the server should reject the connection)
- connection test with specified MAC (
ssh <server name> -m <MAC>)- PASSED (the server should reject the connection)
- APV terminal output of
ssh cipher- PASSED (should show
New ciphers, separated by commas. Supported ciphers are:aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com)
- PASSED (should show
| Description | From | Last Updated |
|---|---|---|
|
可以多加ui_ssh_ciphers function跟DEFAULT_SSH_CIPHERS變數 還有修改ssh configuration file(sshd_config) 做MAC的指定 |
 jasonchou
|
|
|
changes to sys_cmd.c is not apperaring, can you please fix the same. |
 kdutta
|
|
|
Hi Reviewers, Should we change the output message of ssh cipher as well as the document? I think showing chacha20-poly1305@openssh.com … |
 luhsuan
|
|
|
Check wether doc also need to update |
 timlai
|
Description: |
|
|---|
Description: |
|
||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Testing Done: |
|
||||||||||||||||||||||||
Diff: |
Revision 2 (+22 -2) |
Testing Done: |
|
|---|
Testing Done: |
|
|---|
-
-
branches/rel_apv_10_7/usr/click/lib/libparser/commands.pm (Diff revision 3) Check wether doc also need to update