Controllerless Networks

 View Only
last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

AP-505 Subject to SSH-Terrapin Vulnerability?

This thread has been viewed 39 times

  • 1.  AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted 21 days ago

    The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

    An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

    Any ideas or suggestions?



  • 2.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?
    Best Answer

    EMPLOYEE
    Posted 21 days ago

    Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

    ssh disable-ciphers aes-cbc

    Then run your internal network scan test again and report back and let us know the results.


    Original Message


  • 3.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted 20 days ago

    The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?


    Original Message


  • 4.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    EMPLOYEE
    Posted 20 days ago

    Hi Troy,

    I just factory reset one of my APs on 8.11.2.2. On bring up, I see both aes-ctr and aes-cbc ciphers in the show ssh results. When I disable aes-cbc, I only see aes-ctr ciphers. I see the same behavior in 8.10.0.11 too. Which version are you running on your APs? Do you have aes-ctr ciphers disabled (show running-config | include ssh)?

    d0:4d:c6:c3:25:2a# show ssh
    Please change default password to private ones before any other operator.
     
    SSH Ciphers Settings:
    Ciphers       :aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
    d0:4d:c6:c3:25:2a# show ver | include ArubaOS
    ArubaOS (MODEL: 655), Version 8.11.2.2 SSR
    d0:4d:c6:c3:25:2a# 
    d0:4d:c6:c3:25:2a# conf t
    We now support CLI commit model, please type "commit apply" for configuration to take effect.
    d0:4d:c6:c3:25:2a (config) # ssh disable-ciphers 
    aes-cbc     
    aes-ctr     
     
    d0:4d:c6:c3:25:2a (config) # ssh disable-ciphers aes-cbc
    d0:4d:c6:c3:25:2a (config) # end
    d0:4d:c6:c3:25:2a# commit apply
    committing configuration...
    configuration committed.
    d0:4d:c6:c3:25:2a# show ssh
     
    SSH Ciphers Settings:
    Ciphers       :aes128-ctr,aes192-ctr,aes256-ctr
    d0:4d:c6:c3:25:2a# 


    Original Message


  • 5.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    EMPLOYEE
    Posted 20 days ago

    I just confirmed with the official Terrapin Attack vulnerability scanner that disabling aes-cbc ciphers as described in my earlier response resolves the issue.


    Original Message


  • 6.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted 20 days ago

    You were correct. I stop reading at 'c', apparently! The CBC ciphers have been disabled, and I'll take you word below that they'll pass the check!


    Original Message


  • 7.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted 20 days ago

    Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------

    Original Message


  • 8.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted 20 days ago

    The one I'm working with has the latest 8.11 version. I try not to jump to new releases like 8.12.0 right away!


    Original Message


  • 9.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    EMPLOYEE
    Posted 20 days ago

    Hi Troy,

    Just so that you're aware, 8.11 is no longer receiving patches. At some point, you'll want to upgrade.


    Original Message


  • 10.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    Posted 20 days ago

    I will, though I usually wait until at least one or two patches have been applied, especially to a new release version. Thanks for the heads up!


    Original Message


  • 11.  RE: AP-505 Subject to SSH-Terrapin Vulnerability?

    EMPLOYEE
    Posted 4 days ago

    This may be a false detection of your internal network scan. The Aruba Product Security Policy can be found here.

    In general, if a product is NOT vulnerable, there will NOT be an announcement/bulletin as it's impossible to send out bulletins for everything products are not vulnerable to.

    I didn't find a bulletin for APs or controllers on Terrapin, so expect those not to be vulnerable, which may be because of configuration, sofware version or other reasons.

    If you are unsure, you can/should ask TAC (following the Product Security Policy). Or as you may have done disable aes-cbc to satisfy the network scan if that feels better or is easier.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message