Controllerless Networks

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?

Original Message:
Sent: May 07, 2024 12:59 PM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Hi Troy,

I just factory reset one of my APs on 8.11.2.2. On bring up, I see both aes-ctr and aes-cbc ciphers in the show ssh results. When I disable aes-cbc, I only see aes-ctr ciphers. I see the same behavior in 8.10.0.11 too. Which version are you running on your APs? Do you have aes-ctr ciphers disabled (show running-config | include ssh)?

Original Message:
Sent: May 08, 2024 10:14 AM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?

Original Message:
Sent: May 07, 2024 12:59 PM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Hi Troy,

I just factory reset one of my APs on 8.11.2.2. On bring up, I see both aes-ctr and aes-cbc ciphers in the show ssh results. When I disable aes-cbc, I only see aes-ctr ciphers. I see the same behavior in 8.10.0.11 too. Which version are you running on your APs? Do you have aes-ctr ciphers disabled (show running-config | include ssh)?

Original Message:
Sent: May 08, 2024 10:14 AM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?

Original Message:
Sent: May 07, 2024 12:59 PM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The one I'm working with has the latest 8.11 version. I try not to jump to new releases like 8.12.0 right away!

Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Hi Troy,

Just so that you're aware, 8.11 is no longer receiving patches. At some point, you'll want to upgrade.

The one I'm working with has the latest 8.11 version. I try not to jump to new releases like 8.12.0 right away!

Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Did you ever get a resolution to this issue?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Did you read the responses above that explain which firmware versions fix this vulnerability?

Did you ever get a resolution to this issue?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Did you read the responses above that explain which firmware versions fix this vulnerability?

Did you ever get a resolution to this issue?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

...and I just read through the HPE article referenced.

They 'can't confirm' whether the vulnerability exists, so they recommend the newest firmware to upgrade the SSH version to the newest level that they 'think' will mitigate the threat. They ALSO say to manually disable the CBC protocol in the APs. So the firmware update itself might not be enough.

Plus, it wouldn't be enough for any Security firm doing the probe. If they see that cypher, they'll report it as a vulnerability.

Did you read the responses above that explain which firmware versions fix this vulnerability?

Did you ever get a resolution to this issue?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

And that requires a manual update on each AP, correct?

...and I just read through the HPE article referenced.

They 'can't confirm' whether the vulnerability exists, so they recommend the newest firmware to upgrade the SSH version to the newest level that they 'think' will mitigate the threat. They ALSO say to manually disable the CBC protocol in the APs. So the firmware update itself might not be enough.

Plus, it wouldn't be enough for any Security firm doing the probe. If they see that cypher, they'll report it as a vulnerability.

Did you read the responses above that explain which firmware versions fix this vulnerability?

Did you ever get a resolution to this issue?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

...and I just read through the HPE article referenced.

They 'can't confirm' whether the vulnerability exists, so they recommend the newest firmware to upgrade the SSH version to the newest level that they 'think' will mitigate the threat. They ALSO say to manually disable the CBC protocol in the APs. So the firmware update itself might not be enough.

Plus, it wouldn't be enough for any Security firm doing the probe. If they see that cypher, they'll report it as a vulnerability.

Did you read the responses above that explain which firmware versions fix this vulnerability?

Did you ever get a resolution to this issue?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Command is: ssh disable-ciphers aes-cbc

...and I just read through the HPE article referenced.

They 'can't confirm' whether the vulnerability exists, so they recommend the newest firmware to upgrade the SSH version to the newest level that they 'think' will mitigate the threat. They ALSO say to manually disable the CBC protocol in the APs. So the firmware update itself might not be enough.

Plus, it wouldn't be enough for any Security firm doing the probe. If they see that cypher, they'll report it as a vulnerability.

Did you read the responses above that explain which firmware versions fix this vulnerability?

Did you ever get a resolution to this issue?

The bulletin was published on 2024-08-02 and can be found here:  https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

The resolution section of that bulletin under the Terrapin attack section shows:

Resolution:
To address the vulnerability described in this detail
section, it is recommended to upgrade the Access Points to
one of the following versions (as applicable):

- ArubaOS 10.6.x.x: 10.6.0.1 and above
- ArubaOS 10.4.x.x: 10.4.1.4 and above
- InstantOS 8.12.x.x: 8.12.0.2 and above
- InstantOS 8.10.x.x: 8.10.0.13 and above

We have upgraded our APs to 8.12.0.2 and are still showing the cbc ciphers in a nmap scan of the ap below. According to various websites outlining the vulnerability, any aes-cbc cipher is vulnerable when using encrypt-then-mac is used, for example hmac-sha2-256-etm@openssh.com.  

PORT     STATE SERVICE

22/tcp   open  ssh

| ssh2-enum-algos: 

|   kex_algorithms: (3)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|   server_host_key_algorithms: (4)

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms: (4)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

I'm working with TAC because I don't want to manually update all my APs at the various locations manually using the commands above. Also, if Aruba is advertising that 8.12.0.2 remediates the vulnerability and it doesn't, (at least for me) someone should point that out ;) 

My APs are AP-505s managed by central and show v8.12.0.2_90468 currently installed. 

Original Message:
Sent: Jun 20, 2024 12:49 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

TAC didn't have a direct answer for me, but the tech did show me how to process the command using Central. So that's probably their current fix, deactivating the AES-CBC cypher suite.

Original Message:
Sent: May 24, 2024 09:45 AM
From: Herman Robers
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?