Another holiday season, another CVE scare for the world’s containers.
On Monday, the National Vulnerability Database published one new vulnerability (CVE-2023-48795) and updated two others (CVE-2023-46445,CVE-2023-46446) relating to the Terrapin Attack exploit the SSH protocol that is widely used for network communications in Kubernetes environments.
The good news, compared to the Log4J incident that ruined Christmas 2021 for many, is that a patch is readily available for the impacted library (ASyncSSH versions 2.14.1 and below), and that the two preexisting vulnerabilities are considered Medium severity.
In the words of the OpenSSH maintainers:
While cryptographically novel, the security impact of this attack
is fortunately very limited as it only allows deletion of
consecutive messages, and deleting most messages at this stage of
the protocol prevents user user authentication from proceeding and
results in a stuck connection.
This vulnerability impacts SSH cipher modes "ChaCha20-Poly1305" and "CBC with Encrypt-then-MAC" during the SSH handshake, potentially corrupting the data stream. This flaw could compromise the security of container images in Kubernetes, potentially affecting their integrity or impacting networking operations.
A view of one of the Terrapin CVEs in a Hello World example container, viewed in SlimAI’s Collaborative Workspaces.
Kubernetes clusters, relying on SSH for container orchestration and management, can be impacted by these CVEs. With 77% of internet-exposed SSH servers supporting one of the vulnerable encryption modes, Kubernetes deployments are at risk of interception and manipulation of container communications.
At SlimAI, we monitor container images for new security threats and provide collaborative workspaces to guide teams through remediation steps.
From our dataset of public containers, we’ve identified 10 vulnerable packages (68 vulnerable versions) across 163 unique public images from multiple container repositories that have been flagged for one of these three CVEs. However, the number seems to be increasing since the publication of CVE-2023-48795. Applications built on top of or incorporating these popular images are likely to see their vulnerability counts tick up as they prep their last deployments before the holidays.
Thankfully, remediation here can be straight-forward. Simply bumping the version of ASyncSSH to 2.14.2, or updating the downstream base image, is enough to fix the issue. That said, “simple” version bumps can often end up in breakages and rework, so be sure to test any new containers for potential issues.
If you can’t upgrade the library, you can assess your risk by knowing which cipher modes you are employing in SSL. According to our AI-driven CVE Summarizer, the following risk assessment can be made:
It is also mentioned that some cipher modes, such as AES-GCM, are not affected and can still be used without changes. However, it is always recommended to consult the official documentation and security advisories of the affected software or system for specific mitigation steps.
Getting remediation advice from our LLM-driven CVE Summarizer chatbot.
Want to know if this CVE shows up in your container and make a plan to remediate it? Sign-up above for a free SlimAI Beta account, and stay tuned to our blog and social media channels for more investigations and remediation steps coming soon.
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
