Rebex .NET components 7.0.8755: Terrapin weakness mitigation, improved Native AOT compatibility

January 25, 2024 | Lukas Pokorny

Terrapin weakness mitigation

Rebex SSH library now implements OpenSSH's strict KEX protocol extension that addresses a weakness in the SSH protocol that makes some OpenSSH ciphers vulnerable to Terrapin attack (CVE-2023-48795).

The attack is only possible when one of the following OpenSSH ciphers is in use:

chacha20-poly1305@openssh.com (symmetric encryption cipher)
hmac-sha2-256-etm@openssh.com (MAC cipher)
hmac-sha2-512-etm@openssh.com (MAC cipher)

Fortunately, in practice, the actual impact of the weakness on most SSH implementation seems to be negligible. No version of Rebex SSH relies on RFC 8308 extension negotiation mechanism yet, so this weakness can only be used by an attacker to disrupt authentication, causing the SSH session to fail.

Strict key exchange extension is enabled by default. It can be disabled using Settings.SshParameters.UseStrictKeyExchange option. Please note that this extension only resolves the weakness if both the client and server SSH implementation support it. When connecting a vulnerable client to an updated server (or vice versa), Terrapin attack is still possible. To mitigate this as well, disable the three ciphers listed above.

Improved Native AOT compatibility

This update improves compatibility with .NET 8's Native AOT deployment model, which makes it possible to compile applications to native code ahead-of-time (AOT). Most common features should already work in Native AOT mode.

And more...

For a detailed list of changes, see the release history.