Question: CVE-2023-48795

[ahrycej]

need to double check with this project
https://nvd.nist.gov/vuln/detail/CVE-2023-48795
SSH.NET is NOT impacted? Could somebody verify?

[Rob-Hague]

The library does not support ChaCha20-Poly1305 nor Encrypt-then-MAC (currently), and does not support SSH extension negotiation (RFC8308)

[ahrycej]

excellent! thank you very much for the answer.

[Rob-Hague]

I should have added:

1. I can't give a qualified answer (I just contribute occasionally as a pastime)
2. The primary use of the attack (and the only one I have seen during bedtime reading) is to prevent the negotiation of SSH extensions (RFC8308), some of which are used to enhance security. Thus leaving the connection in a "downgraded" security state compared to what one might be expecting. But because the library does not implement RFC8308 in the first place, by default the security is the same as that of the "downgraded" security.

So I would say the answer is no, the library is not vulnerable, because it does not implement the required algorithms. If it did implement the required algorithms, the library would (probably?) be vulnerable to the attack methodology, but not to its demonstrated usage of thwarting extension negotiation, because the library does not implement extension negotiation. So then it really comes down to your perception or expectation of security.

Again keeping (1) in mind.

[ahrycej]

We are here discussing impact only do not intend to examine overall security of the library.