Bug 1218183

Summary: VUL-0: CVE-2023-48795: python-Twisted: prefix truncation breaking ssh channel integrity aka Terrapin Attack
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: daniel.garcia, gus.kenion, hpj, mcepl, meissner, ncutler, rfrohl, sascha.wessels, security-team, smash_bz, sreeves, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217950    

Description Marcus Meissner 2023-12-19 08:03:59 UTC 
This bug tracks python-Twisted SSH implementation in regards to the Terrapin Attack.

+++ This bug was initially created as a clone of Bug #1217950 +++
Comment 1 Marcus Meissner 2023-12-19 08:04:47 UTC 
i checked twisted sourcecode in factory and SP4, neither support
chacha20-poly1305 or etm.

however they implement SSH v2 protocol, so might need the fix in some form but less urgently.
Comment 2 Daniel Garcia 2024-01-10 17:02:45 UTC 
Upstream issue can be found here: https://github.com/twisted/twisted/issues/12057
Comment 3 Matej Cepl 2024-02-13 23:13:04 UTC 
The relevant part of the upstream ticket is this, I believe (https://github.com/twisted/twisted/issues/12057#issuecomment-1866239542):

> Just a quick comment from my part as one of the authors of the Terrapin paper. We also examined twisted.conch.ssh while compiling our list of implementations for responsible disclosure. While it seems true that you currently don't support the affected cipher modes, it may still be advisable to implement "strict kex" to improve the rigidity of the SSH handshake to avoid possible attacks of a similar kind in the future. The protocol weaknesses are buried deep within the SSH specification but only become exploitable when using newer ciphers. Handling it as a feature request seems fine because it does not affect security.

If I understand this correctly, then it means that we actually do not carry CVE-worthy bug in our packages. If anything, then this could be downgraded to normal RFE, but unless we want to make this change upstream, we should probably leave this to the upstream.

Suggesting WONTFIX.
Comment 4 Marcus Meissner 2024-02-14 13:56:28 UTC 
currently marking as wontfix