elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2024-11-16 21:45:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update on Terrapin Attack fix with DSM 7.2.2

Mathieu Simon 2024-08-27 10:41:44 +02:00
parent 5faa34e4a4
commit e459e6d066
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Synology-DSM.md

@ -1,4 +1,4 @@
Synology Disk Station Manager or short **DSM** is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 branch.
Synology Disk Station Manager or short **DSM** is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 version branch.
# DSM 7.2
@ -16,7 +16,7 @@ This opens a window **Customize encryption mode**, which contains 3 rows: ``Ciph
### Cipher
Leave the following ciphers enabled and disable the remaining ones:
Leave the following ciphers enabled and disable the remaining ones if you are on DSM 7.2.2 or later:
```
aes128-ctr
@ -24,9 +24,10 @@ aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
```
In order to work around [CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795) `chacha20-poly1305@openssh.com` is disabled until Synology eventually provides a patched version of OpenSSH with DSM. Last checked against: DSM 7.2.1-69057 Update 4.
DSM versions earlier than 7.2.2: In order to work around [CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795) leave `chacha20-poly1305@openssh.com` disabled.
### KEX
@ -48,6 +49,7 @@ hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-128-etm@openssh.com
```
## Applying the settings
Click on **Save** to close the window **Customize encryption mode**, returning back to the windows **Advanced Settings**. There click on **Save** again to close this window, finally back in the Control Panel, click on **Apply**.
@ -60,12 +62,13 @@ Click on **Save** to close the window **Customize encryption mode**, returning b
## Limitations
At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying ``/etc/ssh/sshd_config``. Also those manual changes are likely overwritten by i.e. system updates or other configuration changes via the DSM web interface.
At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying ``/etc/ssh/sshd_config``. Also those manual changes are likely to get overwritten by i.e. system updates or other configuration changes via the DSM web interface.
## Validated versions
| DSM | ssh-audit |
| ----------------------- | ------------- |
| DSM 7.2.2-72803 | [master @ 9049c8476ad75494f03941c1d2ff77206a2846c6 ](https://github.com/jtesta/ssh-audit/commit/9049c8476ad75494f03941c1d2ff77206a2846c6) |
| DSM 7.2.1-69057 Update 4 | [master @ fe65b5df8a2d36fb85747f600685091487837c0d ](https://github.com/jtesta/ssh-audit/commit/fe65b5df8a2d36fb85747f600685091487837c0d) |
| DSM 7.2.1-69057 Update 3 | [master @ c8e075ad13516b59ab30461d2590c3403e3379e8 ](https://github.com/jtesta/ssh-audit/commit/c8e075ad13516b59ab30461d2590c3403e3379e8) |
| DSM 7.2.1-69057 | [master @ 02ab487232de438c0811116f2676cb1c9b5f3d62 ](https://github.com/jtesta/ssh-audit/commit/02ab487232de438c0811116f2676cb1c9b5f3d62) |