Ukuba zixhatshaziwe, ezi ziphene zinokuvumela abahlaseli ukuba bafumane ukufikelela okungagunyaziswanga kulwazi olubuthathaka okanye ngokubanzi babangele iingxaki.
Mva nje iqela lezazinzulu kwiYunivesithi yaseRuhr yaseBochum, eJamani, ibonise iinkcukacha zendlela entsha yokuhlasela ye-MITM ngaphezulu kwe-SSH, abanayo wabhaptizwa njengo “Terrapin»kwaye abayikhankanyayo inokuvumela umhlaseli ukuba athobe ukhuseleko loqhagamshelo lwe-SSH xa usebenzisa uthethathethwano lolwandiso lwe-SSH. Impembelelo ekusebenzeni iya kuxhomekeka kakhulu kwizandiso ezixhaswayo, kodwa "phantse zonke" zisengozini.
Terrapin, usebenzisa ukuba sesichengeni (esele ifakwe kwikhathalogu phantsi kweCVE-2023-48795) leyo umhlaseli unokuthatha ithuba lokuququzelela uhlaselo lwe-MITM xa usebenzisa i-OpenSSH, ukuba sesichengeni kukuvumela ukuba ubuyisele umdibaniso ukuze usebenzise uqinisekiso lwemilinganiselo yoqinisekiso olukhuseleke kancinci okanye ukhubaze ukhuseleko ngokuchasene nohlaselo lwetshaneli esecaleni ephinda ifake igalelo ngokuhlalutya ulibaziseko phakathi kwezitshixo zebhodi yezitshixo.
"Ngokulungelelanisa ngokucophelela iinombolo zokulandelelana ngexesha lokuxhawula isandla, umhlaseli unokucima inombolo engafanelekanga yemiyalezo ethunyelwe ngumxhasi okanye umncedisi ekuqaleni kwesiteshi esikhuselekileyo ngaphandle kokuqaphela umxhasi okanye umncedisi," abaphandi bakhankanya.
Ngokumalunga nokuba sesichengeni, kukhankanyiwe ukuba oku ichaphazela zonke iinkqubo ze-SSH ezixhasa i-ChaCha20-Poly1305 okanye i-CBC mode ciphers ngokudibanisa ne-ETM (Encrypt-the-MAC) mode. Umzekelo, ubunakho obufanayo bukhona kwi-OpenSSH ngaphezulu kweminyaka eli-10.
“Kaninzi, oku kuchaphazela ukhuseleko loqinisekiso lomxumi xa usebenzisa isitshixo sikawonke-wonke saseRSA. Xa usebenzisa i-OpenSSH 9.5, inokuphinda isetyenziswe ukukhubaza amanyathelo athile okuthintela uhlaselo lwexesha,” abaphandi babhala.
Ukuba sesichengeni kungenxa yokuba umhlaseli olawula unxibelelwano lwetrafikhi (umzekelo, umnini wendawo enobungozi engenazingcingo) inokulungelelanisa amanani epakethe yolandelelwano ngexesha lenkqubo yothethathethwano loqhagamshelwano kwaye ufezekise ukucinywa okuthe cwaka kwenani elingenasizathu lemiyalezo yenkonzo ye-SSH ethunyelwe ngumxhasi okanye umncedisi.
Phakathi kwezinye izinto, umhlaseli angacima SSH_MSG_EXT_INFO imiyalezo esetyenziselwa ukuqwalasela izongezo yeprotocol esetyenziswayo. Ukuthintela elinye iqela ekuboneni ilahleko yepakethe ngenxa yesithuba sokulandelelana kwamanani, umhlaseli uqalisa ukuthumela ipakethe yedummy enenombolo yolandelelwano efanayo njengepakethi ekude ukutshintsha inombolo yolandelelwano. Ipakethe ye-dummy inomyalezo oneflegi ye-SSH_MSG_IGNORE, engahoywayo ngexesha lokuqhubekekiswa.
Ukwenza uhlaselo lwe-Terrapin ngokusebenza, abahlaseli bafuna amandla omntu ophakathi kwinqanaba lomnatha lokuthintela kunye nokuguqula i-traffic. Ukongeza, iindlela ezithile zokubethela kufuneka kuvunyelwane ngazo ukuze kuqinisekiswe ukuhanjiswa okukhuselekileyo kwedatha ngexesha loqhagamshelo.
Uhlaselo alunakwenziwa kusetyenziswa imijelo ye-ciphers kunye ne-CTR, kuba ukwaphulwa kwemfezeko kuya kubonwa kwinqanaba lesicelo. Ngokusebenza, kuphela ChaCha20-Poly1305 encryption isetyenziswa apho imeko ilandelwa kuphela ngeenombolo zolandelelwano lomyalezo, kunye nendibaniselwano ye-Encrypt-En-MAC mode (*-etm@openssh.com). ) kunye neCBC ciphers ziphantsi kohlaselo.
Kuyakhankanywa ukuba yafunyanwa kwakhona kwilayibrari yePython AsyncSSH, Ngokudibanisa nobuthathaka (CVE-2023-46446) ekuphunyezweni komatshini wombuso wangaphakathi, ukuhlaselwa kweTerrapin kusivumela ukuba sihlasele iseshoni ye-SSH.
Ukuba sesichengeni Ilungiswe kuguqulelo lwe-OpenSSH 9.6 kwaye kolu guqulelo lwe-OpenSSH kunye nokunye ukuphunyezwa, ukwandiswa kweprotocol "engqongqo ye-KEX" iphunyeziwe ukuvimba uhlaselo, eyenziwa ngokuzenzekelayo ukuba kukho inkxaso kumncedisi kunye necala lomxhasi. Ulwandiso luphelisa umdibaniso ekufumaneni kwayo nayiphi na imiyalezo engaqhelekanga okanye engeyomfuneko (umzekelo, nge SSH_MSG_IGNORE okanye SSH2_MSG_DEBUG iflegi) efunyenwe ngexesha lenkqubo yothethathethwano loqhagamshelo, kwaye iphinda imisele kwakhona i-MAC (iKhowudi yoQinisekiso lomyalezo) emva kokugqiba utshintshiselwano lwesitshixo ngasinye.
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha kwi eli khonkco lilandelayo.