SSH vulnerability exploitable in Terrapin attacks (CVE-2023-48795)

Security researchers have discovered a vulnerability (CVE-2023-48795) in the SSH cryptographic network protocol that could allow an attacker to downgrade the connection’s security by truncating the extension negotiation message.

The Terrapin attack

Terrapin is a prefix truncation attack targeting the SSH protocol.

“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it,” researchers Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk of Ruhr-Universität Bochum have found.

Aside from downgrading the SSH connection’s security by forcing it to use less secure client authentication algorithms, the attack can also be used to exploit vulnerabilites in SSH implementations.

“For example, we found several weaknesses [CVE-2023-46445, CVE-2023-46446] in the AsyncSSH servers’ state machine, allowing an attacker to sign a victim’s client into another account without the victim noticing. Hence, it will enable strong phishing attacks and may grant the attacker Man-in-the-Middle (MitM) capabilities within the encrypted session.”

To pull off a Terrapin attack, though, the attacker must already be able to intercept and modify the data sent from the client or server to the remote peer, they pointed out, making it more feasible to be performed on the local network.

“Besides that, we also require the use of a vulnerable encryption mode. Encrypt-then-MAC and ChaCha20-Poly1305 have been introduced by OpenSSH over 10 years ago. Both have become the default for many years and as such spread across the SSH ecosystem. Our scan indicated that at least 77% of SSH servers on the internet supported at least one mode that can be exploited in practice.”

More details about their findings can be found in their paper and on a dedicated website.

Patches released or incoming

The researchers have contacted nearly 30 providers of various SSH implementations and shared their research so they may provide fixes before publication.

“Many vendors have updated their SSH implementation to support an optional strict key exchange. Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker’s capability to inject packets during the initial, unencrypted handshake,” they shared.

But it will take a while for all clients and servers out there to be updated – and both “parties” must be for the connection to be secure against the Terrapin attack.

Vendors/maintainers of affected implementations, applications and Linux distros have been pushing out fixes: AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others.

Administrators can also use the Terrapin Vulnerability Scanner to determine whether an SSH client or server is vulnerable.

“The scanner connects to your SSH server (or listens for an incoming client connection) to detect whether vulnerable encryption modes are offered and if the strict key exchange countermeasure is supported. It does not perform a fully-fledged handshake, nor does it actually perform the attack,” they explained.

UPDATE (December 20, 2023, 03:40 a.m. ET):

The list of projects that implemented a fix also includes: Dropbear SSH, Rust SSH, Thrussh, Paramiko, and libssh2.