Nextcloud: Weak ssh algorithms and CVE-2023-48795 Discovered on various subdomains of nextcloud.com

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection’s security by breaking the integrity of the secure channel.

Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the “first-ever practically exploitable prefix truncation attack.”

In a real-world scenario, an attacker could exploit this vulnerability to intercept sensitive data or gain control over critical systems using administrator-privileged access.

Weak SSH algorithms refer to the encryption and key exchange methods utilized in the Secure Shell (SSH) protocol, highlighting the security vulnerabilities or obsolescence associated with these algorithms. SSH is a protocol for establishing secure network connections and is often used to provide secure access to remote systems. However, some outdated or vulnerable algorithms can increase information security risks.

When such weak algorithms are used, attackers can more easily access encrypted data by targeting these vulnerabilities. Weak SSH algorithms can make it easier for malicious actors to crack passwords or gain access. Furthermore, using these algorithms makes secure connections more vulnerable and can increase the risk of unauthorized access

HackerOne report :

https://hackerone.com/reports/2431683 ( nextcloud report)

https://hackerone.com/reports/318068

Reference:

https://thehackernews.com/2024/01/new-terrapin-flaw-could-let-attackers.html

https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/

https://threatmon.io/vulnerability/weak-ssh-algorithms-discovered/

https://jfrog.com/blog/ssh-protocol-flaw-terrapin-attack-cve-2023-48795-all-you-need-to-know/

https://terrapin-attack.com/

Target :

scan.nextcloud.com (95.217.53.149)

Step To Reproduce:

1: Detection for Weak and vulnerable algorithms

Tools: Nmap,ssh-audit

nmap --script ssh2-enum-algos target -sV -p- 

# SSH-AUDIT 
ssh-audit Target 

https://www.sshaudit.com/

ssh-audit scan file :

nmap scan file :

2 : Detection for Terrapin Attack

To be vulnerable the connection must be secured by either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and no kex-strict-?[email protected] key exchange marker is offered by this target.

They also created vulnerability scanner for this :

https://github.com/RUB-NDS/Terrapin-Scanner

Brief description :

1. Deprecated & Weak SHA-1 Algorithm In UseAffected Algorithms:References:

   Description: SHA-1 is known to have several practical & exploitable weaknesses.

   • ssh-rsa
   • diffie-hellman-group14-sha1
   • [email protected]
   • hmac-sha1

   Solution: Replace SHA-1 with SHA-256, SHA-384, or SHA-512

   • Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y., “The first collision for full SHA-1”, <https://shattered.io/static/shattered.pdf&gt;, Retrieved Jun. 1, 2017.
   • Google, Inc., “Gradually sunsetting SHA-1”, <https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html&gt;, Published Sept. 5, 2014, Retrieved Jun. 1, 2017.
   • Leurent, G., Peyrin, T., “SHA-1 is a Shambles”, <https://eprint.iacr.org/2020/014.pdf&gt;, Retrieved Feb. 8, 2020.

2. Possibly Compromised NIST P-Curves In UseAffected Algorithms:References:

   Description: The NIST P-curves are strongly suspected by some as being back-doored by the NSA.

   • ecdsa-sha2-nistp256
   • ecdh-sha2-nistp256
   • ecdh-sha2-nistp384
   • ecdh-sha2-nistp521

   Solution: Replace ECDSA host keys with RSA and/or ED25519 host keys. Replace ECDH key exchange algorithms with traditional Diffie-Hellman algorithms and/or the Curve25519 algorithm.

   • Bernstein, D., Lange, T., “SafeCurves: choosing safe curves for elliptic-curve cryptography”, <https://safecurves.cr.yp.to/&gt;, Published 2014, Retrieved Oct. 3, 2017.

3. Diffie-Hellman Group 14 In UseAffected Algorithms:References:

   Description: Diffie-Hellman Group 14 uses a somewhat small 2048-bit modulus, which is only equivalent to 112-bits of symmetric security.

   • diffie-hellman-group14-sha256

   Solution: Replace with Diffie-Hellman Group 15, which affords a 128-bit level of security.

   • U.S. Department of Commerce, National Institute of Standards and Technology, “NIST Special Publication 800-57 Part 1 Revision 4”, <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf&gt;, pg. 53, 55, Published Jan. 2016, Retrieved Jun. 1, 2017.
   • National Institute of Standards and Technology, U.S. Department of Commerce, “NIST Special Publication 800-131A Revision 1: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths”, <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf&gt;, pg. 6, Published Nov. 2015, Retrieved Oct. 9, 2017.

4. MAC Algorithm With Insufficient Tag Size EnabledAffected Algorithms:References:

   Description: MAC tags less than 128 bits long are vulnerable to collision attacks, resulting in forged messages.

   • [email protected]
   • [email protected]

   Solution: Use MACs with tag sizes of 128 bits or larger, such as [email protected], [email protected], or [email protected], if possible.

   • Wikimedia Foundation, Inc., “Birthday attack”, <https://en.wikipedia.org/wiki/Birthday_attack&gt;, Published Aug. 27, 2017, Retrieved Oct. 9, 2017.

5. Encrypt-And-MAC Algorithm EnabledAffected Algorithms:References:

   Description: Encrypt-and-mac algorithms are theoretically weaker than encrypt-then-mac (etm) algorithms with respect to chosen plaintext attacks, chosen ciphertext attacks, and non-malleability.

   • [email protected]
   • hmac-sha2-256
   • hmac-sha2-512

   Solution: Disable the affected MACs.

   • Bellare, M., Namprempre, C., “Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm”, <http://cseweb.ucsd.edu/~mihir/papers/oem.pdf&gt;, pg. 5, Published Jul. 14, 2007, Retrieved Oct. 9, 2017.

6. Chacha20-Poly1305 Terrapin VulnerabilityAffected Algorithms:References:

   Description: The chacha20-poly1305 cipher is susceptible to the Terrapin vulnerability when the kex-strict marker ([email protected]) is not in the list of key exchanges. Note that, even when the kex-strict marker is present in the target, its peer must present the marker as well, otherwise an insecure channel will still be created. If connections with unpatched peers is possible, then this cipher must be fully disabled.

   • [email protected]

   Solution: Upgrade the SSH implementation to one that supports the kex-strict marker ([email protected]), or disable this cipher entirely.

   • Bäumer, Brinkmann, and Schwenk, “Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation”, <https://arxiv.org/abs/2312.12422&gt;, Published Dec. 19, 2023, Retrieved Dec. 21, 2023.
   • U.S. Department of Commerce, National Institute of Standards and Technology, “NVD - CVE-2023-48795”, <https://nvd.nist.gov/vuln/detail/CVE-2023-48795&gt;, Published Dec. 18, 2023, Retrieved Dec. 21, 2023.

Impact

As of 2022, there are approximately 549 million Wifi hotspots worldwide. According to the Forbes Advisor, 40% of respondents had their information compromised while using public Wi-Fi.People most commonly use public Wi-Fi in cafes and restaurants (38%), hotels (38%), and libraries (33%) majority of people (56%) connect to public Wi-Fi networks that don’t require a password, while 44% connect to networks that do. In the US, 47% of people say they use public Wi-Fi regularly. And that’s no surprise, as Americans continue to work remotely, attend school online, and save their cellular data while they’re out and about.

Internet provider companies and government agencies spy on citizens by catching our internet traffic, This type of spoofing attack against civilians now become an open secret.

You and me also everyone use public wifi networks, chilling in a cafe with friends, and working remotely now become a part of our life so this type of bug is now becoming more alarming than ever. Using a VPN will decrease internet speed that’s why a VPN isn’t a solution.

• Weak SSH algorithms utilize cryptographic algorithms that are vulnerable to attacks, making it easier for malicious actors to decrypt sensitive data transmitted over SSH connections. This can lead to the exposure of confidential information, Hampering the integrity of SSH protocol, also this will help an attacker to gain access to the server.
• Due to Week ssh algorithms this makes your servers vulnerable to CVE-2023-48795

Internet service providers and Attackers in Adversary-in-the-Middle (AitM) position can exploit this vulnerability to hack your company if we don’t consider this seriously this could lead to a cyber attack against your company.

Your company’s activities show that you guys Consider data security very carefully.Gratefully I can say Security is your main priority and you should know that confidentiality integrity availability (CIA ) is the piler of security. This type of vulnerability is the most alarming to us for protecting the confidentiality and integrity of our data.

Your server scored an F grade As a well-known company Nextcloud deserves the best security, hope this report will help you to make this server an A grader