mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-16 21:45:39 +01:00
Update on Terrapin Attack fix with DSM 7.2.2
parent
5faa34e4a4
commit
e459e6d066
@ -1,4 +1,4 @@
|
||||
Synology Disk Station Manager or short **DSM** is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 branch.
|
||||
Synology Disk Station Manager or short **DSM** is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 version branch.
|
||||
|
||||
# DSM 7.2
|
||||
|
||||
@ -16,7 +16,7 @@ This opens a window **Customize encryption mode**, which contains 3 rows: ``Ciph
|
||||
|
||||
### Cipher
|
||||
|
||||
Leave the following ciphers enabled and disable the remaining ones:
|
||||
Leave the following ciphers enabled and disable the remaining ones if you are on DSM 7.2.2 or later:
|
||||
|
||||
```
|
||||
aes128-ctr
|
||||
@ -24,9 +24,10 @@ aes128-gcm@openssh.com
|
||||
aes192-ctr
|
||||
aes256-ctr
|
||||
aes256-gcm@openssh.com
|
||||
chacha20-poly1305@openssh.com
|
||||
```
|
||||
|
||||
In order to work around [CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795) `chacha20-poly1305@openssh.com` is disabled until Synology eventually provides a patched version of OpenSSH with DSM. Last checked against: DSM 7.2.1-69057 Update 4.
|
||||
DSM versions earlier than 7.2.2: In order to work around [CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795) leave `chacha20-poly1305@openssh.com` disabled.
|
||||
|
||||
### KEX
|
||||
|
||||
@ -48,6 +49,7 @@ hmac-sha2-256-etm@openssh.com
|
||||
hmac-sha2-512-etm@openssh.com
|
||||
umac-128-etm@openssh.com
|
||||
```
|
||||
|
||||
## Applying the settings
|
||||
|
||||
Click on **Save** to close the window **Customize encryption mode**, returning back to the windows **Advanced Settings**. There click on **Save** again to close this window, finally back in the Control Panel, click on **Apply**.
|
||||
@ -60,12 +62,13 @@ Click on **Save** to close the window **Customize encryption mode**, returning b
|
||||
|
||||
## Limitations
|
||||
|
||||
At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying ``/etc/ssh/sshd_config``. Also those manual changes are likely overwritten by i.e. system updates or other configuration changes via the DSM web interface.
|
||||
At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying ``/etc/ssh/sshd_config``. Also those manual changes are likely to get overwritten by i.e. system updates or other configuration changes via the DSM web interface.
|
||||
|
||||
## Validated versions
|
||||
|
||||
| DSM | ssh-audit |
|
||||
| ----------------------- | ------------- |
|
||||
| DSM 7.2.2-72803 | [master @ 9049c8476ad75494f03941c1d2ff77206a2846c6 ](https://github.com/jtesta/ssh-audit/commit/9049c8476ad75494f03941c1d2ff77206a2846c6) |
|
||||
| DSM 7.2.1-69057 Update 4 | [master @ fe65b5df8a2d36fb85747f600685091487837c0d ](https://github.com/jtesta/ssh-audit/commit/fe65b5df8a2d36fb85747f600685091487837c0d) |
|
||||
| DSM 7.2.1-69057 Update 3 | [master @ c8e075ad13516b59ab30461d2590c3403e3379e8 ](https://github.com/jtesta/ssh-audit/commit/c8e075ad13516b59ab30461d2590c3403e3379e8) |
|
||||
| DSM 7.2.1-69057 | [master @ 02ab487232de438c0811116f2676cb1c9b5f3d62 ](https://github.com/jtesta/ssh-audit/commit/02ab487232de438c0811116f2676cb1c9b5f3d62) |
|
||||
|
Loading…
Reference in New Issue
Block a user