-
Synology DSM 6.2 SSH Terrapin fix
Posted on August 16th, 2024 No commentsI wrote this post half a year ago, but forgot to publish it. Nevertheless, I think it can still be useful.
As you may already know, Synology still hasn’t released a fix for this vulnerability, even though it was discovered almost a year ago. I use an old Synology RS3412RPxs server. The latest DSM version is still the 6.2.4-25556 Update 7 which came out on 2023-05-02. Okay, it’s a 12 year old server, so no surprise it’s EoL. According to this forum post there’s an alternative solution to the problem: turning off the affected ciphers.
Many security sites claim that we have to disable the following options:
- chacha20-poly1305
- any AES(128|192|256)-cbc ciphers
- any MACs that use Encrypt-then-MAC (EtM)
The investigation showed that my server had the following vulnerable algorithms:
- chacha20-poly1305@openssh.com
- umac-64-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
- hmac-sha1-etm@openssh.com
So I ended up with these options in /etc/ssh/sshd_config:
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Macs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
Then I restarted the sshd service: synoservicectl –reload sshd
I rechecked the active ciphers with: nmap –script ssh2-enum-algos -sV -Pn -p 22 ipaddress
encryption_algorithms: (5) aes256-gcm@openssh.com aes128-gcm@openssh.com aes256-ctr aes192-ctr aes128-ctr mac_algorithms: (4) umac-64@openssh.com umac-128@openssh.com hmac-sha2-256 hmac-sha2-512
This solution will do until I discard this old server.
Leave a Reply