====================================================================

                                  CERT-Renater

                        Note d'Information No. 2024/VULN354
_____________________________________________________________________

DATE                : 04/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache MINA versions prior
                                    to 2.12.0.

=====================================================================
https://lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b
_____________________________________________________________________

CVE-2024-41909: Apache MINA SSHD: integrity check bypass

Severity: moderate

Affected versions:

- Apache MINA SSHD through 2.11.0

Description:

Like many other SSH implementations, Apache MINA SSHD suffered from
the issue that is more widely known as CVE-2023-48795. An attacker
that can intercept traffic between client and server could drop
certain packets from the stream, potentially causing client and
server to consequently end up with a connection for which some security 
features have been downgraded or disabled, aka a
Terrapin attack

The mitigations to prevent this type of attack were implemented
in Apache MINA SSHD 2.12.0, both client and server side. Users
are recommended to upgrade to at least this version. Note that
both the client and the server implementation must have
mitigations applied against this issue, otherwise the connection may 
still be affected.

Credit:

Fabian Bäumer (finder)

References:

https://github.com/apache/mina-sshd/issues/445
https://mina.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-41909


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================