Original Message:
Sent: May 08, 2024 10:54 AM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?
Hi Troy,
I just factory reset one of my APs on 8.11.2.2. On bring up, I see both aes-ctr and aes-cbc ciphers in the show ssh results. When I disable aes-cbc, I only see aes-ctr ciphers. I see the same behavior in 8.10.0.11 too. Which version are you running on your APs? Do you have aes-ctr ciphers disabled (show running-config | include ssh
)?
d0:4d:c6:c3:25:2a# show ssh
Please change default password to private ones before any other operator.
SSH Ciphers Settings:
Ciphers :aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
d0:4d:c6:c3:25:2a# show ver | include ArubaOS
ArubaOS (MODEL: 655), Version 8.11.2.2 SSR
d0:4d:c6:c3:25:2a#
d0:4d:c6:c3:25:2a# conf t
We now support CLI commit model, please type "commit apply" for configuration to take effect.
d0:4d:c6:c3:25:2a (config) # ssh disable-ciphers
aes-cbc
aes-ctr
d0:4d:c6:c3:25:2a (config) # ssh disable-ciphers aes-cbc
d0:4d:c6:c3:25:2a (config) # end
d0:4d:c6:c3:25:2a# commit apply
committing configuration...
configuration committed.
d0:4d:c6:c3:25:2a# show ssh
SSH Ciphers Settings:
Ciphers :aes128-ctr,aes192-ctr,aes256-ctr
d0:4d:c6:c3:25:2a#
Original Message:
Sent: May 08, 2024 10:14 AM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?
The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?
Original Message:
Sent: May 07, 2024 12:59 PM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?
Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin).
ssh disable-ciphers aes-cbc
Then run your internal network scan test again and report back and let us know the results.
Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?
The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.
An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.
Any ideas or suggestions?