DHEat and Terrapin attack on R5 SSH.
| CVE | CVE-2022-40735, CVE-2002-20001, CVE-2023-48795, CVE-2023-46445, CVE-2023-46446 |
| Advisory Summary | Recently, NIST updated the vulnerabilities CVE-2022-40735 and CVE-2002-20001 to link to an IEEE paper presenting a practical Denial-of-Service attack on the finite field Diffie–Hellman key exchange. The attack is known as DHEat and is rated as a high vulnerability (more information at https://dheatattack.com).
The SSH service present in R5 recorders allows the use of a Diffie–Hellman key exchange, so there is a risk of a Denial-of-Service attack. We are releasing a patch that correct this, removing Diffie–Hellman key exchange. This patch also corrects CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446, a medium-rated SSH vulnerability known as Terrapin (more information at https://terrapin-attack.com). |
| Products or Components | 8000 NVRs, 9000 NVRs, RideSafe GT/MT/RT NVRs |
| Addressed in Release | 5.27.0.0049 (GA), or patch 42114 R1.0 for 5.25.0.0127 (GA) and 5.26.0.0047 (GA) |
| Severity | High |
| Ticket | SV-124 |
Description
Recently, NIST updated the vulnerabilities CVE-2022-40735 and CVE-2002-20001 to link to an IEEE paper presenting a practical Denial-of-Service attack on the finite field Diffie–Hellman key exchange. The attack is known as DHEat and is rated as a high vulnerability (more information at https://dheatattack.com).
The SSH service present in R5 recorders allows the use of a Diffie–Hellman key exchange, so there is a risk of a Denial-of-Service attack. We are releasing a patch that correct this, removing Diffie–Hellman key exchange.
This patch also corrects CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446: a medium-rated vulnerability on SSH known as Terrapin (more information at https://terrapin-attack.com). The correction was added in this patch since it involves a change in the same configuration file.
Impact
The main impact is a potential Denial-of-Service attack with DHEat (more information at https://dheatattack.com).
Solution
Update R5 recorders using either 5.25.0.0127 (GA) or 5.26.0.0047 (GA) with the 42114 R1.0 patch, or upgrade to 5.27.0.0049 (GA). Future releases of R5 will not be affected by the issues.
For older releases, limit the usage of the provisioning interface only when necessary and only in a trusted environment, and consider disabling the provisioning interface by contacting our technical support.
In case R5 recorders are managed under Command Enterprise, please remind customers that 2.17 is the minimum version that supports R5 recorders at 5.25.0.0127 (GA) and 5.26.0.0047 (GA), while 2.19 is the minimum version that supports R5 recorders at 5.27.0.0049 (GA).
Revision
July 23, 2024 – Initial public report
Disclaimer
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and the system being deployed and configured in accordance with March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry-leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes for our supported products if and when a high-security vulnerability is determined to affect March Networks products.