Terrapin attack and strict KEX

Question

Terrapin attack and strict KEX

clin52897 opened this issue a year ago · 1 comments

With the new SSH terrapin vulnerability attack (CVE-2023-48795, CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446), it is detected that dev tunnel does not implement strict key exchange as a counter measure to mitigate this risk. Is there any plan that Dev Tunnel provide this support to prevent downgrade of Open SSH security?

Answer 1 · 2024-07-10T22:02:50.000Z

None of the linked CVEs are applicable here.

This SSH library does not support the ChaCha20-Poly1305 algorithm that is vulnerable in the first two CVEs.

The second two CVEs are about flaws specific to the AsyncSSH project, which this library is not vulnerable to.