Terrapin Attack #1398

elvexys-md · 2024-05-13T13:19:16Z

elvexys-md
May 13, 2024

Hello,

Maybe my question is a bit simple, but is SSH.NET vulnerable to the Terrapin attack?
https://terrapin-attack.com/

CVE-2023-48795: General Protocol Flaw
CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
CVE-2023-46446: Rogue Session Attack in AsyncSSH

Thanks,
Michel

Rob-Hague · 2024-05-14T10:41:40Z

Rob-Hague
May 14, 2024
Maintainer

See #1307 and #1285. In addition:

Version 2024.0.0 adds support for Encrypt-then-MAC algorithms but without a mitigation.
#1366 adds the strict key exchange mitigation. It will be included in the next version.

2 replies

elvexys-md May 14, 2024
Author

Great, thanks for your prompt and complete reply!
I thought I'd looked carefully through the discussions...

scott-xu May 16, 2024
Collaborator

Just want to be precise. Version 2024.0.0 adds support for Encrypt-then-MAC algorithms only when target .NET 6.0 onward.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Terrapin Attack #1398

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Terrapin Attack #1398

Uh oh!

elvexys-md May 13, 2024

Replies: 1 comment · 2 replies

Uh oh!

Rob-Hague May 14, 2024 Maintainer

Uh oh!

elvexys-md May 14, 2024 Author

Uh oh!

scott-xu May 16, 2024 Collaborator

elvexys-md
May 13, 2024

Replies: 1 comment 2 replies

Rob-Hague
May 14, 2024
Maintainer

elvexys-md May 14, 2024
Author

scott-xu May 16, 2024
Collaborator