SUSE addresses the SSH v2 protocol Terrapin Attack aka CVE-2023-48795

Today, on December 18th 2023, researchers from the Ruhr University Bochum published a protocol flaw in the SSH v2 protocol, codenamed Terrapin Attack.

The flaw allows removing encrypted SSH messages at the begin of the communication, allowing downgrade of some security aspects of SSH connections.

The flaw does not allow injecting new traffic or commands.

It impacts various SSH software on all SUSE Linux products.

List of affected packages contained in SUSE products:

• openssh: all versions of SUSE Linux Enterprise are affected
• libssh: versions after 0.8.0, SUSE Linux Enterprise 12 SP5 and newer are affected
• libssh2_org: version starting with 0.11.0, SUSE Linux Enterprise 12 SP5 and newer are affected
• golang.org/x/crypto/ssh: the GO ssh module embedded in various GO packages is affected
• jsch: the current versions of Java SSH shipped by SUSE are not affected
• putty: all versions affected

Fixes for openssh on SUSE Linux Enterprise have been issued on December 18th, others packages will follow in the days after.

Mitigations are documented on our TID linked below.

List of TID and CVE URLs:

• Researcher Blog: https://terrapin-attack.com/
• SUSE CVE Page: https://www.suse.com/security/cve/CVE-2023-48795
• TID: https://www.suse.com/support/kb/doc/?id=000021295

This vulnerability, while potentially serious to unpatched systems, poses little danger to those who keep their SUSE product patched and up
to date. We are releasing fixes and updates to all affected versions, eliminating the potential for disruption.

If you have any questions or concerns, please reach out to your SUSE contact.

Security and reliability continue to be top priorities for SUSE because they are top priorities for our customers and partners. And as always, customers and partners come first.