From e459e6d066bf78c2011ed5a7ac0eee202ca5410f Mon Sep 17 00:00:00 2001 From: Mathieu Simon Date: Tue, 27 Aug 2024 10:41:44 +0200 Subject: [PATCH] Update on Terrapin Attack fix with DSM 7.2.2 --- Synology-DSM.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Synology-DSM.md b/Synology-DSM.md index 4469d7a..c0b6054 100644 --- a/Synology-DSM.md +++ b/Synology-DSM.md @@ -1,4 +1,4 @@ -Synology Disk Station Manager or short **DSM** is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 branch. +Synology Disk Station Manager or short **DSM** is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 version branch. # DSM 7.2 @@ -16,7 +16,7 @@ This opens a window **Customize encryption mode**, which contains 3 rows: ``Ciph ### Cipher -Leave the following ciphers enabled and disable the remaining ones: +Leave the following ciphers enabled and disable the remaining ones if you are on DSM 7.2.2 or later: ``` aes128-ctr @@ -24,9 +24,10 @@ aes128-gcm@openssh.com aes192-ctr aes256-ctr aes256-gcm@openssh.com +chacha20-poly1305@openssh.com ``` -In order to work around [CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795) `chacha20-poly1305@openssh.com` is disabled until Synology eventually provides a patched version of OpenSSH with DSM. Last checked against: DSM 7.2.1-69057 Update 4. +DSM versions earlier than 7.2.2: In order to work around [CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795) leave `chacha20-poly1305@openssh.com` disabled. ### KEX @@ -48,6 +49,7 @@ hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com ``` + ## Applying the settings Click on **Save** to close the window **Customize encryption mode**, returning back to the windows **Advanced Settings**. There click on **Save** again to close this window, finally back in the Control Panel, click on **Apply**. @@ -60,12 +62,13 @@ Click on **Save** to close the window **Customize encryption mode**, returning b ## Limitations -At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying ``/etc/ssh/sshd_config``. Also those manual changes are likely overwritten by i.e. system updates or other configuration changes via the DSM web interface. +At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying ``/etc/ssh/sshd_config``. Also those manual changes are likely to get overwritten by i.e. system updates or other configuration changes via the DSM web interface. ## Validated versions | DSM | ssh-audit | | ----------------------- | ------------- | +| DSM 7.2.2-72803 | [master @ 9049c8476ad75494f03941c1d2ff77206a2846c6 ](https://github.com/jtesta/ssh-audit/commit/9049c8476ad75494f03941c1d2ff77206a2846c6) | | DSM 7.2.1-69057 Update 4 | [master @ fe65b5df8a2d36fb85747f600685091487837c0d ](https://github.com/jtesta/ssh-audit/commit/fe65b5df8a2d36fb85747f600685091487837c0d) | | DSM 7.2.1-69057 Update 3 | [master @ c8e075ad13516b59ab30461d2590c3403e3379e8 ](https://github.com/jtesta/ssh-audit/commit/c8e075ad13516b59ab30461d2590c3403e3379e8) | | DSM 7.2.1-69057 | [master @ 02ab487232de438c0811116f2676cb1c9b5f3d62 ](https://github.com/jtesta/ssh-audit/commit/02ab487232de438c0811116f2676cb1c9b5f3d62) |