Is Control-M Managed File Transfer impacted by CVE-2023-48795 SSH Terrapin Prefix Truncation Weakness ?

Knowledge Article

Is Control-M Managed File Transfer impacted by CVE-2023-48795 SSH Terrapin Prefix Truncation Weakness ?
Control-M Managed File Transfer
Control-M Managed File Transfer
Control-M Managed File Transfer 9.0.21 and higher
Control-M Managed File Transfer Enterprise 9.0.21 and higher
Control-M Managed File Transfer
Control-M Managed File Transfer
Control-M Managed File Transfer 9.0.21 and higher
Control-M Managed File Transfer Enterprise 9.0.21 and higher
Is Control-M Managed File Transfer impacted by CVE-2023-48795 SSH Terrapin Prefix Truncation Weakness ?

CVE-2023-48795 with a base score of 5.9, MFT is using JSCH as the SSH client and Apache sshd-mina as the SSH server.

Please perform the following steps to remediate this vulnerability:

MFT client:

  1. Open aft_configurable.properties file

  2. Look for the com.bmc.aft.configurable.sftp.All.Ciphers parameter, and make sure the value does not include “chacha20-poly1305@openssh.com”.
    If it does, remove the above algorithm.

  3. Look for the com.bmc.aft.configurable.sftp.Mac parameter, and make sure the value does not include either “hmac-sha2-256-etm@openssh.com”, “hmac-sha2-512-etm@openssh.com”, or “hmac-sha1-etm@openssh.com
    If it does, remove the above algorithm.

  4. If changes were made, save the file.


MFT Server (FTS/Hub):

  1. Open FTS/Hub settings -> SFTP settings

  2. Check the Allowed Ciphers

    1. If at least one cipher is selected, make sure that “CC20P1305_OPENSSH” is not selected. If it does, uncheck it and save the settings.

    2. If no item is selected, you must select at least one algorithm, but do not select the “CC20P1305_OPENSSH” one. Save the settings.


 

  1. Open the <agent>/cm/AFT/data/fts_config.properties file, and check the ssh.macs parameter, and
    1. If it has a non-empty value, make sure the value does not include an algorithm with “etm” in it. If it does, remove the algorithm.
    2. If it has an empty value, specify the algorithms you would like to choose. E.g.: ssh.macs=HmacSHA256, HmacSHA512
    3. If changes were made, save the file.
MFTE Gateway:
  1. Open MFTE -> Gateway Settings -> SFTP settings
  2. Check the Allowed Ciphers
    1. If at least one cipher is selected, make sure that “CC20P1305_OPENSSH” is not selected. If it does, uncheck it and save the settings.
    2. If no item is selected, you must select at least one algorithm, but do not select the “CC20P1305_OPENSSH” one. Save the settings.
  3. Open <Agent>/cm/AFT/data/proxyConfig.properties file, and look for the param.ssh.macs parameter, and
    1. If it has a non-empty value, make sure the value does not include an algorithm with “etm” in it. If it does, remove the algorithm.
    2. If it has an empty value, specify the algorithms you would like to choose. E.g.: param.ssh.macs=HmacSHA256, HmacSHA512
    3. If changes were made, save the file.
    4. Restart the gateway/s.
Control-M Managed File Transfer
Control-M Managed File Transfer
Control-M Managed File Transfer 9.0.21 and higher
Control-M Managed File Transfer Enterprise 9.0.21 and higher
Attachment(s):