KiTTY icon indicating copy to clipboard operation
KiTTY copied to clipboard

Published 20 hours ago verified publisher icon cyd01

Terrapin vulnerability mitigation

Open dlong500 opened this issue 1 year ago • 5 comments

What are the plans to mitigate the Terrapin vulnerability? Putty released version 0.80 two days ago with a fix and it appears that BOTH server and client SSH implementations must use the mitigation or the MITM attack is still a threat. As far as I can tell based on the information that has been released this means that using KiTTY without a mitigation patch will allow for this attack even if the SSH server has been patched.

dlong500 avatar Dec 20 '23 05:12 dlong500

[...] As far as I can tell based on the information that has been released this means that using KiTTY without a mitigation patch will allow for this attack even if the SSH server has been patched.

This is somewhat true - one way to partially mitigate this is to go into Connection > SSH > Cipher and move "ChaCha20 (SSH-2 only)" below "-- warn below here --" (be sure to save this in the Default Settings and any other saved sessions). This prevents the use of one of the vulnerable ciphers without warning. As a limitation inherited from PuTTY, the other vulnerable cipher is bundled with other non-vulnerable ones under "AES (SSH-2 only)", and KiTTY can't be configured to warn before using it without also warning before using non-vulnerable ciphers.

Even if you do move both below the warning threshold, running the Terrapin scanner will still produce a positive, as the vulnerable ciphers are still enabled and strict key exchange is unsupported.

Judging by the fact that KiTTY is advertised as "a fork from version 0.76 of PuTTY", and doesn't appear to have incorporated upstream commits since that version (seeing as PuTTY has released 0.77, 0.78, 0.79, and now 0.80), I'm starting to consider moving back to PuTTY myself.

ann4belle avatar Dec 24 '23 05:12 ann4belle

I hope I don't have to go back to putty, but security is more important than usability

BurtGummer avatar Jan 04 '24 15:01 BurtGummer

Is there a reason this is being ignored? This is a serious vulnerability that will deter users from using this software. Why is this not being updated?

Drakonas avatar Aug 06 '24 20:08 Drakonas

Feel free to update KiTTY yourself. It hasn't been updated for almost a year now. One release tag commit was titled "abandoned" https://github.com/cyd01/KiTTY/commit/4404c65e46c8ae663f1ca81d76469e44115f6653

If you require a fix you might have to switch to PuTTY. Only PuTTY is being maintained atm. Alternative: disable Encrypt-then-MAC on your ssh servers

Djfe avatar Aug 06 '24 23:08 Djfe

Feel free to update KiTTY yourself. It hasn't been updated for almost a year now. One release tag commit was titled "abandoned" 4404c65

If you require a fix you might have to switch to PuTTY. Only PuTTY is being maintained atm. Alternative: disable Encrypt-then-MAC on your ssh servers

Apologies. I wasn't aware that development had completely halted... Thanks for letting me know.

Drakonas avatar Aug 07 '24 02:08 Drakonas