Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.
Munguva pfupi yapfuura, boka revasayendisiti kubva kuRuhr University yeBochum, Germany, yakaratidza zvinyorwa zveMITM itsva yekurwisa nzira pamusoro peSSH, zvavanazvo akabhabhatidzwa sa «Terrapin»uye izvo zvavanotaura zvinogona kubvumira munhu anorwisa kudzikisira kuchengetedzeka kweSSH yekubatanidza kana uchishandisa SSH yekuwedzera nhaurirano. Kukanganisa mukuita kwaizonyanya kuenderana neakawedzerwa anotsigirwa, asi "anenge ese" ari panjodzi.
Terrapin, inoshandisa kusagadzikana (yakatonyorwa pasi peCVE-2023-48795) iyo anorwisa anogona kutora mukana kuronga kurwiswa kweMITM kana uchishandisa OpenSSH, kusazvibata kunokubvumira kuti udzore chinongedzo kuti ushandise algorithms yakachengeteka isina kuchengetedzeka kana kudzima dziviriro kubva kudivi-chiteshi kurwisa kunodzokorora kupinza nekuongorora kunonoka pakati pemakiyi ekiyibhodhi.
"Nekunyatsogadzirisa nhamba dzekutevedzana panguva yekubata maoko, munhu anorwisa anogona kudzima nhamba inopokana yemameseji anotumirwa nemutengi kana sevha pakutanga kwechiteshi chakachengeteka pasina mutengi kana sevha achiona," vaongorori vakadaro.
Nezvekusagadzikana, zvinonzi izvi inobata zvese SSH kuita zvinotsigira ChaCha20-Poly1305 kana CBC mode ciphers pamwe chete neETM (Encrypt-the-MAC) maitiro. Semuenzaniso, hunyanzvi hwakafanana hwave huripo muOpenSSH kweanopfuura makore gumi.
"Kazhinji, izvi zvinokanganisa kuchengetedzwa kwechokwadi chevatengi kana uchishandisa RSA kiyi yeruzhinji. Paunenge uchishandisa OpenSSH 9.5, inogona zvakare kushandiswa kudzima mamwe matanho ekurwiswa kwekiyi nguva, "vanoongorora vanonyora.
Kusagadzikana kunokonzerwa nekuti munhu anorwisa anodzora traffic yekubatanidza (semuenzaniso muridzi wenzvimbo yakaipa isina waya) inogona kugadzirisa nhamba dzekutevedzana kwepaketi panguva yekubatanidza kutaurirana maitiro uye zadzisa chinyararire kudzima kwenhamba yekupokana yeSSH sevhisi mameseji anotumirwa nemutengi kana sevha.
Pakati pezvimwe zvinhu, munhu anorwisa anogona kudzima SSH_MSG_EXT_INFO mameseji akashandiswa kugadzirisa maedzero yeprotocol inoshandiswa. Kudzivirira mumwe mubato kuti asaone kurasika kwepaketi nekuda kwegap munhamba dzekutevedzana, anorwisa anotanga kutumira dummy packet ine nhamba yekutevedzana yakafanana neyeremote packet kuti achinje nhamba yekutevedzana. Iyo dummy packet ine meseji ine SSH_MSG_IGNORE mureza, iyo inofuratirwa panguva yekugadziriswa.
Kuti uite Terrapin kurwisa mukudzidzira, vanorwisa vanoda murume-mukati-yepakati kugona kunetiweki layer kuti vabate uye vagadzirise traffic. Pamusoro pezvo, nzira dzakanangana dzekunyorera dzinofanirwa kubvumirana kuti ive nechokwadi chekufambiswa kwe data panguva yekubatanidza.
Kurwiswa uku hakugone kuitwa uchishandisa stream ciphers uye CTR, sezvo kukanganisa kwekuvimbika kuchaonekwa padanho rekushandisa. Mukuita, ChaCha20-Poly1305 chete encryption ndiyo inoshandiswa umo iyo nyika inoteedzerwa chete nenhamba dzekuteerana kwemeseji, uye musanganiswa weEncrypt-Then-MAC modhi (*-etm@openssh.com). ) uye CBC ciphers anogona kurwiswa.
Izvo zvinotaurwa kuti yakawanikwa zvakare muraibhurari yePython AsyncSSH, Mukubatana nekusagadzikana (CVE-2023-46446) mune yemukati mamiriro emuchina kuita, kurwiswa kweTerrapin kunotibvumira kubira muchikamu cheSSH.
Kunetseka Yakagadziriswa mu OpenSSH vhezheni 9.6 uye mune iyi vhezheni yeOpenSSH uye kumwe kuita, kuwedzera kwe "strict KEX" protocol inoshandiswa kuvhara kurwisa, iyo inogoneswa otomatiki kana paine tsigiro pane server nedivi revatengi. Iyo yekuwedzera inomisa chinongedzo kana yatambira meseji dzisiri dzenguva dzose kana dzisina kufanira (semuenzaniso, neSSH_MSG_IGNORE kana SSH2_MSG_DEBUG mureza) inotambirwa panguva yekubatana kwenhaurirano, uye zvakare kuseta zvakare iyo MAC (Mharidzo Yekusimbisa Kodhi) counter mushure mekupedza imwe neimwe kiyi shanduko.
Chekupedzisira, kana iwe uchifarira kugona kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo mu chinotevera chinongedzo.