Simple understanding of CVE-2023-48795 for OCP users

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
  • SSH Server

Issue

  • SSH access to OCP nodes displays the use of vulnerable ciphers as mentioned on the CVE-2023-48795 page.
  • Vulnerable ciphers such as: chacha20-poly1305@openssh.com / hmac-sha2-512-etm@openssh.com / hmac-sha2-256-etm@openssh.com / hmac-sha1-etm@openssh.com / hmac-md5-etm@openssh.com

Resolution

  • Make sure that the openssh rpm version utilized in your OCP environment is the latest one as per the Security Advisories mentioned on the CVE-2023-48795 page for different RHEL platforms. If not, then please upgrade your OCP clusters to the next minor/major version which consist of the fixed openssh rpm.

  • Red Hat OpenShift Container Platform 4 includes a fully managed node operating system, Red Hat Enterprise Linux CoreOS, commonly referred to as RHCOS. And RHCOS is based on RHEL. This KCS article helps you understand what is the RHEL version on top of which your OCP cluster is based upon.

  • Also, keeping in mind that upgrading the affected RPMs individually on RHCOS nodes is not possible.

  • So, the benefit of upgrading your clusters to the next minor/major OCP version which consist of the fixed openssh rpm is that you don't have to make any changes in the Cipher configuration of the nodes of your cluster.

  • Updated client and server provide kex pseudo-algorithms indicating usage of the updated version of the protocol which is protected from the attack. If 'kex-strict-c-v00@openssh.com' is provided by clients and 'kex-strict-s-v00@openssh.com' is in the server's reply, which means you are using the latest version and are safe.

  • In future, you should check that the session establishment log contains the pseudo-algorithms 'kex-strict-c-v00@openssh.com and kex-strict-s-v00@openssh.com'. These pseudo-algorithms indicate that the countermeasures against the Terrapin attack are in action and the vulnerable ciphers are not relevant anymore.

Diagnostic Steps

  • Take SSH access of a node of your OCP cluster using the below command.
$ ssh -vvv -i .ssh/id_rsa.pub core@ocp-node-name
  • Save the output into a file and then 'grep' for these pseudo-algorithms 'kex-strict-c-v00@openssh.com and kex-strict-s-v00@openssh.com'. If you are able to see them, you are using the latest version of the openssh rpm and are safe from this vulnerability.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.