Controllerless Networks

 View Only
last person joined: 19 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Expand all | Collapse all

AP-505 Subject to SSH-Terrapin Vulnerability?

This thread has been viewed 59 times
  • 1.  AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted May 07, 2024 12:51 PM

    The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

    An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

    Any ideas or suggestions?



  • 2.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?
    Best Answer

    EMPLOYEE
    Posted May 07, 2024 01:00 PM

    Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

    ssh disable-ciphers aes-cbc

    Then run your internal network scan test again and report back and let us know the results.




  • 3.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted May 08, 2024 10:15 AM

    The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?




  • 4.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    EMPLOYEE
    Posted May 08, 2024 10:54 AM

    Hi Troy,

    I just factory reset one of my APs on 8.11.2.2. On bring up, I see both aes-ctr and aes-cbc ciphers in the show ssh results. When I disable aes-cbc, I only see aes-ctr ciphers. I see the same behavior in 8.10.0.11 too. Which version are you running on your APs? Do you have aes-ctr ciphers disabled (show running-config | include ssh)?

    d0:4d:c6:c3:25:2a# show ssh
    Please change default password to private ones before any other operator.
     
    SSH Ciphers Settings:
    Ciphers       :aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
    d0:4d:c6:c3:25:2a# show ver | include ArubaOS
    ArubaOS (MODEL: 655), Version 8.11.2.2 SSR
    d0:4d:c6:c3:25:2a# 
    d0:4d:c6:c3:25:2a# conf t
    We now support CLI commit model, please type "commit apply" for configuration to take effect.
    d0:4d:c6:c3:25:2a (config) # ssh disable-ciphers 
    aes-cbc     
    aes-ctr     
     
    d0:4d:c6:c3:25:2a (config) # ssh disable-ciphers aes-cbc
    d0:4d:c6:c3:25:2a (config) # end
    d0:4d:c6:c3:25:2a# commit apply
    committing configuration...
    configuration committed.
    d0:4d:c6:c3:25:2a# show ssh
     
    SSH Ciphers Settings:
    Ciphers       :aes128-ctr,aes192-ctr,aes256-ctr
    d0:4d:c6:c3:25:2a# 




  • 5.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    EMPLOYEE
    Posted May 08, 2024 11:38 AM

    I just confirmed with the official Terrapin Attack vulnerability scanner that disabling aes-cbc ciphers as described in my earlier response resolves the issue.




  • 6.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted May 08, 2024 12:04 PM

    You were correct. I stop reading at 'c', apparently! The CBC ciphers have been disabled, and I'll take you word below that they'll pass the check!




  • 7.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted May 08, 2024 02:03 AM

    Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 8.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted May 08, 2024 10:17 AM

    The one I'm working with has the latest 8.11 version. I try not to jump to new releases like 8.12.0 right away!




  • 9.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    EMPLOYEE
    Posted May 08, 2024 11:23 AM

    Hi Troy,

    Just so that you're aware, 8.11 is no longer receiving patches. At some point, you'll want to upgrade.




  • 10.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted May 08, 2024 12:07 PM

    I will, though I usually wait until at least one or two patches have been applied, especially to a new release version. Thanks for the heads up!




  • 11.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted May 24, 2024 09:46 AM

    This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

    In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

    I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

    If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted Jun 19, 2024 11:53 AM

    I've opened a TAC case as a follow-up. I'm tagging this thread to another one I'm opening in Controlled Networks, since Aruba Central doesn't seem to let me make the cipher change.




  • 13.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted Jun 20, 2024 12:49 PM

    TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.




  • 14.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted 28 days ago

    The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

    The resolution section of that bulletin under the Terrapin attack section shows:

    Resolution:
    To address the vulnerability described in this detail
    section, it is recommended to upgrade the Access Points to
    one of the following versions (as applicable):

    - ArubaOS 10.6.x.x: 10.6.0.1 and above
    - ArubaOS 10.4.x.x: 10.4.1.4 and above
    - InstantOS 8.12.x.x: 8.12.0.2 and above
    - InstantOS 8.10.x.x: 8.10.0.13 and above

    We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

    PORT     STATE SERVICE

    22/tcp   open  ssh

    | ssh2-enum-algos: 

    |   kex_algorithms: (3)

    |       ecdh-sha2-nistp256

    |       ecdh-sha2-nistp384

    |       ecdh-sha2-nistp521

    |   server_host_key_algorithms: (4)

    |       rsa-sha2-512

    |       rsa-sha2-256

    |       ecdsa-sha2-nistp256

    |       ssh-ed25519

    |   encryption_algorithms: (6)

    |       aes128-ctr

    |       aes192-ctr

    |       aes256-ctr

    |       aes128-cbc

    |       aes192-cbc

    |       aes256-cbc

    |   mac_algorithms: (4)

    |       hmac-sha2-256-etm@openssh.com

    |       hmac-sha2-512-etm@openssh.com

    |       hmac-sha2-256

    |       hmac-sha2-512

    |   compression_algorithms: (2)

    |       none

    |_      zlib@openssh.com

    I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

    My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed.