Millions still havent patched Terrapin SSH protocol vulnerability Ars Technica
News Source : Ars Technica
- All of the unpatched implementations tracked by Shadowserver supported the required cipher modes.Only 53 of the vulnerable instances relied on implementations of AsyncSSH, the only app currently known to be seriously affected by Terrapin..
- Despite earlier versions of AsyncSSH being the only known application vulnerable to practical Terrapin attacks, the researchers spent little time analyzing other implementations..
- It appears the overwhelming majority of AsyncSSH users have installed the patches.The requirement of an AitM position and the lack of currently known practical attacks made possible by Terrapin are important mitigating factors that some critics say have been lost in some news coverage..
- The researchers listed the following implementations as vulnerable and included links to patches when available..
- Dan Goodin - Jan 3, 2024 9:49 pm UTC Roughly 11 million Internet-exposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks..
- AsyncSSH has patched those two vulnerabilities, tracked as CVE-2023-46445 and CVE-2023-46446, in addition to CVE-2023-48795, the Terrapin vulnerability affecting the SSH protocol..
26Roughly 11 million Internetexposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks. Once theyre in, attackers co [+6378 chars]