Bug 558 - Apply mitigation on CVE-2023-48795

Review Request #286 — Created June 14, 2024 and submitted — Latest diff uploaded

Information
luhsuan
APV10
rel_apv_10_7
558
Reviewers
jasonchou, milliechou, timlai, weikai 
As it needs a lot of re-working to eliminate CVE-2023-48795.

We instead apply a mitigation to address CVE-2023-48795 by disabling the following encryptions and MACs by default:


    

  • Encryption
      

    • chacha20-poly1305@openssh.com
      • 

    

    • 

  • MAC
      

    • the MACs with -etm@openssh.com suffix.
      • 

    

    • 



For more information, you may find on this NIST report.
    

  • Nexus vulnerability scanning
      

    • PASSED (report by @timlai).
      • 

    

    • 

  • connection test with specified encryption (ssh <server name> -c <encryption>)
      

    • PASSED (the server should reject the connection)
      • 

    

    • 

  • connection test with specified MAC (ssh <server name> -m <MAC>)
      

    • PASSED (the server should reject the connection)
      • 

    

    • 

  • APV terminal output of ssh cipher
      

    • PASSED (should show New ciphers, separated by commas. Supported ciphers are:aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com)
      • 

    

    •
    Loading...