Terrapin Attack: CVE-2023-48795
Priority: ● Medium (CVSS score: 5.9)
Status: In Progress
First Published: March 15, 2024
Advisory Version: 1.2
References: CVE-2023-48795
Summary
CVE-2023-48795 describes a vulnerability in OpenSSH v9.5 and earlier. This vulnerability, also known as the "Terrapin attack", could allow an attacker to downgrade the security of an SSH connection by manipulating information transferred during the the connection's initial handshake/negotiation sequence. The attacker must have already gained access to the local network, and must be able to both intercept communications and assume the identity of both the recipient and the sender. The CVSS 3.x rating of "Medium" reflects the difficulty in successfully exploiting this vulnerability.
CVE-2023-48795 has since been resolved in OpenSSH v9.6. It's mitigation requires both client and server implementations to be upgraded to this fixed or later version. Additionally, this vulnerability can also be addressed by disabling use of the "ChaCha20-Poly1305" cipher in affected OpenSSH implementations.
More information about CVE-2023-48795 is available here:
Affected Products
Vulnerable Products
The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by CVE-2023-48795 . If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.
NOTE: Cited product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.
| Product | Notes |
| Storage Products |
| HM850 / HM900 GUM (Built-in CLI) |
CVE-2023-48795: Vulnerable. Vulnerability can be mitigated by disabling the "ChaCha20-Poly1305" cipher on the SSH client. Permanent fix schedule TBD. |
| Software Products |
| Hitachi Remote Ops Monitor Agent | CVE-2023-48795: Vulnerable as strict key exchange is currently not implemented. Vulnerability can be mitigated by disabling the "ChaCha20-Poly1305" cipher on the device being monitored by HRO Monitor Agent. |
| Hitachi Ops Center Administrator | CVE-2023-48795: Vulnerable. Permanent fixed version GA target late March / early April 2024 |
| Hitachi Virtual Storage System Block (VSSB) | CVE-2023-48795: Vulnerable. Vulnerability can be mitigated by disabling the "ChaCha20-Poly1305" cipher on the client that connects to the Maintenance Node. Permanent fixed version GA target TBD |
| Content Products |
| Hitachi Data Ingestor (HDI) | CVE-2023-48795: HDI OS is Vulnerable if the SSH client implements the "ChaCha20-Poly1305" cipher and prioritizes its use over AES variants. Vulnerability can be mitigated by disabling the "ChaCha20-Poly1305" cipher on the affected SSH client. Permanent fixed version GA target TBD. |
| Network Attached Storage |
| Hitachi Network Attached Storage (HNAS) | CVE-2023-48795: Vulnerable as strict key exchange is currently not implemented. Vulnerability can be mitigated by disabling the "ChaCha20-Poly1305" cipher. |
Products Confirmed Not Vulnerable
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk as additional information pertaining to CVE-2023-48795 is released.
| Product | Notes |
| Storage Products |
| Hitachi Virtual Storage Platform VSP E990, VSP E790, VSP E590 | CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP G130, F/G350, VSP F/G370, VSP F/G700, VSP F/G900 | CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP G200, VSP F/G/N400, VSP F/G/N600, VSP F/G/N800 | CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP 5100, VSP 5100H, VSP 5500, VSP 5500H (VSP 5x00) RAID 900 |
CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP 5200, VSP 5200H, VSP 5600, VSP 5600H (VSP 5x00) RAID 900 |
CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform G1000, F/G1500 (VSP F/G1x00) RAID 800 |
CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform (VSP) RAID 700 | CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Unified Storage VM (HUS VM) HM700 | CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Adaptable Modular Storage DF800S, DF800M, DF800H (AMS 2x00) | CVE-2023-48795: Not vulnerable. Affected components not used |
| Hitachi Unified Storage DF850XS, DF850S, DF850MH (HUS 1x0) | CVE-2023-48795: Not vulnerable. Affected components not used |
| Software Products |
| Hitachi Remote Ops SVP Agent |
CVE-2023-48795: Not vulnerable. Affected components not used |
Recommended Actions
Please continue to check this Security Advisory, as new information will be added to it as it becomes available.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.