Our great sponsors
-
Terrapin-Scanner
This repository contains a simple vulnerability scanner for the Terrapin attack present in the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
We will show how to disable the affected ciphers on the example of Debian. We will use Docker to make this reproducible. Then we will verify our configuration using vulnerability scanner provided by the authors of the paper.
# docker run -it --rm debian:latest # then run the following commands apt-get update apt-get install -y git wget build-essential zlib1g-dev git clone https://github.com/mkj/dropbear cd dropbear # here we disable ChaCha20Poly1305 and enable GCM instead # CBC is disabled by default env CFLAGS='-DDROPBEAR_CHACHA20POLY1305=0 -DDROPBEAR_ENABLE_GCM_MODE=1' ./configure make make install # check if dropbear is vulnerable dropbear -R wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64 chmod +x Terrapin_Scanner_Linux_amd64 ./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22 pkill dropbear
For this Linux distribution you need cross compiler to recompile Dropbear. The easiest way to get it is to use official Docker image.