Controllerless Networks

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?

Original Message:
Sent: May 07, 2024 12:59 PM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Hi Troy,

I just factory reset one of my APs on 8.11.2.2. On bring up, I see both aes-ctr and aes-cbc ciphers in the show ssh results. When I disable aes-cbc, I only see aes-ctr ciphers. I see the same behavior in 8.10.0.11 too. Which version are you running on your APs? Do you have aes-ctr ciphers disabled (show running-config | include ssh)?

Original Message:
Sent: May 08, 2024 10:14 AM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?

Original Message:
Sent: May 07, 2024 12:59 PM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Hi Troy,

I just factory reset one of my APs on 8.11.2.2. On bring up, I see both aes-ctr and aes-cbc ciphers in the show ssh results. When I disable aes-cbc, I only see aes-ctr ciphers. I see the same behavior in 8.10.0.11 too. Which version are you running on your APs? Do you have aes-ctr ciphers disabled (show running-config | include ssh)?

Original Message:
Sent: May 08, 2024 10:14 AM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The aes-cbc ciphers are the only ones listed when I do a 'show ssh' command. Wouldn't that be the same as disabling it?

Original Message:
Sent: May 07, 2024 12:59 PM
From: schmelzle
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

Try adding the following configuration to disable the CBC cipher in SSH which should clear up hits on the SSH Prefix Truncation Vulnerability (Terrapin). 

ssh disable-ciphers aes-cbc

Then run your internal network scan test again and report back and let us know the results.

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

The one I'm working with has the latest 8.11 version. I try not to jump to new releases like 8.12.0 right away!

Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?

Hi Troy,

Just so that you're aware, 8.11 is no longer receiving patches. At some point, you'll want to upgrade.

The one I'm working with has the latest 8.11 version. I try not to jump to new releases like 8.12.0 right away!

Terrapin vulnerability should be resolved with latest ArubaOS-CX versions for switches. Unfortunately no info regarding APs and GWs.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: May 07, 2024 12:51 PM
From: Troy Jollimore
Subject: AP-505 Subject to SSH-Terrapin Vulnerability?

The last reference I could find to this is someone asking the question almost a decade ago, and not really getting an answer.

An internal network scan is flagging my AP's for this, yet I can't really find a listed 'fix' for it, aside from disabling SSH completely. Firmware is pretty recent.

Any ideas or suggestions?