Skip to main content
Support

KB Article #183054

SECURITY: Mitigating the Terrapin Attack vulnerability (CVE-2023-48795) in SecureTransport

Problem

A recent security vulnerability - Terrapin Attack (CVE-2023-48795) - has been discovered, which enables malicious actors to exploit the Secure Shell (SSH) protocol and launch an attack on systems that utilize the protocol.


Additional information can be found at the following pages:


Report from original researchers

CVE-2023-48795 at National Vulnerability Database

Announcement from JAdaptive (Maverick)


Since the SSH protocol is widely used in SecureTransport deployments, in the way of utilizing the Maverick SSH libraries, the vulnerability does have an impact on the application and actions are required from the ST administrators.


Resolution

Axway is working on integrating the fixes in the Maverick libraries in an upcoming upgrade pack for SecureTransport. Regardless of this, however, for permanent solution, the vulnerable SSH ciphers and HMACs must be disabled on both updated and non-updated instances of SecureTransport as described below.


Reconfigure your SecureTransport servers

Reconfiguring your ST servers is, in essence, disabling the vulnerable ciphers and HMACs in ST's SSH daemon.


The steps below will take care of the scenarios when ST is a server (accepting client connections), and when ST is a client (connecting to remote servers). It is not recommended to apply only one part of the re-configuration.


1. On each ST instance (both Edges and Servers), go to Admin UI > Server Control and open the SSH server's hamburger menu and then go to Settings.



2. Open the settings pane of the Enabled Ciphers field.


3 Disable the chacha20-poly1305@openssh.com cipher.



4. Open the settings pane of the MAC Algorithms field.


5. Disable the HMACs:


  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha1-etm@openssh.com
  • hmac-md5-etm@openssh.com



6. Repeat steps 2 to 5 for the Enabled FIPS Ciphers and FIPS MAC Algorithms fields.


7. Go to the Admin UI > Operations > Server Configuration page.


8. Edit the value of the parameter Ssh.SIT.Ciphers and remove the chacha20-poly1305@openssh.com cipher from the list, if it's there.


9. Edit the value of the parameter Ssh.SIT.AllowedMacs and remove the hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-md5-etm@openssh.com HMACs from the list, if any of them is there.


10. Restart all SecureTransport services.