VDB

GCVE-110-MAGEIA-2024-4

GCVE-110-MAGEIA-2024-4
Advisory Published
Vulnetix · Advisory published January 8, 2024
Parts of the SSH specification are vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and thus downgrading connection security. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Support for strict key exchange has been added to a variety of SSH implementations, including OpenSSH itself, PuTTY, libssh, and more. This release includes a patch to implement Strict KEX mode.

Affected Products

VendorProductVersionsPlatforms
Mageiakernel-firmware20231111-1.mga9 (unaffected), 0 (affected)
Mageiadropbear0 (affected), 2022.83-2.1.mga9 (unaffected), 0 (affected), 2022.83-2.1.mga9 (unaffected)

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›