RSS icon Home icon
  • Synology DSM 6.2 SSH Terrapin fix

    Posted on August 16th, 2024 admin No comments

    I wrote this post half a year ago, but forgot to publish it. Nevertheless, I think it can still be useful.

    As you may already know, Synology still hasn’t released a fix for this vulnerability, even though it was discovered almost a year ago. I use an old Synology RS3412RPxs server. The latest DSM version is still the 6.2.4-25556 Update 7 which came out on 2023-05-02. Okay, it’s a 12 year old server, so no surprise it’s EoL. According to this forum post there’s an alternative solution to the problem: turning off the affected ciphers.

    Many security sites claim that we have to disable the following options:

    • chacha20-poly1305
    • any AES(128|192|256)-cbc ciphers
    • any MACs that use Encrypt-then-MAC (EtM)

    The investigation showed that my server had the following vulnerable algorithms:

    • chacha20-poly1305@openssh.com
    • umac-64-etm@openssh.com
    • umac-128-etm@openssh.com
    • hmac-sha2-256-etm@openssh.com
    • hmac-sha2-512-etm@openssh.com
    • hmac-sha1-etm@openssh.com

    So I ended up with these options in /etc/ssh/sshd_config:

    Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    Macs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

    Then I restarted the sshd service: synoservicectl –reload sshd

    I rechecked the active ciphers with: nmap –script ssh2-enum-algos -sV -Pn -p 22 ipaddress

    encryption_algorithms: (5)
        aes256-gcm@openssh.com
        aes128-gcm@openssh.com
        aes256-ctr
        aes192-ctr
        aes128-ctr
    mac_algorithms: (4)
        umac-64@openssh.com
        umac-128@openssh.com
        hmac-sha2-256
        hmac-sha2-512

    This solution will do until I discard this old server.

     

    Leave a Reply

    Your email address will not be published. Required fields are marked *