An inherent vulnerability in the Secure Shell (SSH) protocol presents the possibility of being exploited by a strategically positioned adversary, potentially undermining the integrity of SSH connections if certain conditions are met. This type of vulnerability can allow an attacker, through a well-executed man-in-the-middle (MITM) attack, to force SSH clients to adopt more vulnerable authentication methods and disable specific security measures. The exact scope of this vulnerability is complex to determine due to the variety of client-server configurations, different protocol implementations, and other contextual variables. It is important to note that SSH is commonly used to establish secure remote connections and administer systems via a command line interface.
One attack, dubbed the “Terrapin Attack,” was described in detail in a technical document recently published by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk, respected computer scientists affiliated with Ruhr University in Bochum, Germany. This attack was brought to light in October when researchers discreetly notified SSH client and server developers of the vulnerability, prompting a mitigation process that has now become public knowledge with the release of patches and related information.
The research team has also made accompanying scripts and additional materials available on GitHub for those interested in the more granular technical details. A further open source tool was developed to test the susceptibility of SSH clients and servers to the Terrapin attack. Following this discovery, it is expected that software updates for SSH will be distributed to users, and in the meantime, several mitigation strategies have been proposed. Despite this, there is no reason to be overly alarmed as the attack requires an active MITM location on the vulnerable connection rather than a direct attack on the server. This is more of a declassification attack rather than a decryption or command injection issue. In fact, there are methodologies to immediately protect yourself from Terrapin attacks.
It is critical to be aware of three specific CVEs: CVE-2023-48795, which concerns the generic vulnerability at the SSH protocol level; and CVE-2023-46445 and CVE-2023-46446, which are specific to the AsyncSSH Python SSH client. AsyncSSH is particularly notable, considering its approximately 60.000 daily downloads. This open source client was found to have implementation errors that could be exploited in a Terrapin attack to, for example, trick a victim into logging into a shell account under the attacker's control rather than their own. AsyncSSH addressed these vulnerabilities in versions 2.14.1 and 2.14.2, respectively.
How does Terrapin Attack work on SSH?
The Terrapin attack, specifically CVE-2023-48795, is a prefix truncation attack that allows a MITM attacker to degrade the security of an SSHv2 connection during the extension negotiation phase. This attack is analogous to an issue identified in 2015 in TLS 1.3 and subsequently fixed. A successful Terrapin attack may result in the use of less robust client authentication algorithms and the disabling of specific countermeasures against keystroke-based attacks in OpenSSH 9.5. In particularly specific circumstances, it could be used to decipher some secrets, such as a user's password or parts of it during login, although this is a non-trivial event and unlikely to be achieved in practice.
Terrapin's MITM attack mechanism involves inserting a plaintext “ignore” message into the pre-secure connection during the handshake, causing the sequence counter for messages received by the client to increment, while the message in itself is ignored. Once the secure channel is established, the MITM attacker prevents the server from sending messages to the client regarding additional defenses. Although the message is encrypted, the attacker simply prevents it from arriving, and the client does not detect it or act on it. This maneuver is critical because correct counts of messages sent and received are subsequently used to verify the integrity of the entire handshake process. If the counts appear correct, the connection continues as if nothing had happened.
It is important to note that the encryption algorithm adopted for the secure channel is crucial in determining whether an SSH connection is susceptible to a successful attack. Some algorithms, such as ChaCha20-Poly1305, have been identified as “vulnerable and perfectly exploitable” due to the way sequence numbers are used in key derivation. While there is no inherent cryptographic weakness in these algorithms, the way they are implemented for SSH can present vulnerabilities. CBC-Encrypt-then-MAC (CBC-EtM) was also found to be probabilistically vulnerable and exploitable, although, depending on the specific implementation, the attack may not be successful. The CTR-Encrypt-then-MAC algorithm is vulnerable but not practically exploitable.
Experts found that more than three-quarters of publicly exposed SSH servers support “at least one mode that can be exploited in practice,” with 57% of these setting an exploitable algorithm as their preferred choice. Despite the severity of this discovery, experts stressed that there is no need to disable SSH tools or make them an immediate priority. The attack requires an active MITM attacker that can intercept and modify connection traffic at the TCP/IP layer. Furthermore, to be effective, the attack requires negotiating ChaCha20-Poly1305 or any CBC cipher in combination with Encrypt-then-MAC mode as the connection encryption mode.
In terms of mitigation, it is recommended to keep an eye out for patches or updates and install them as soon as possible. For example, for Linux users, these updates should be available via your distribution's usual update method. Recently, version 9.6 of OpenSSH was released, which among other things addressed Terrapin with a more rigorous key exchange protocol that, if supported by both server and client, should effectively thwart these attacks. It is important to note that connecting a vulnerable client to a patched server, and vice versa, still results in a vulnerable connection. Putty 0.8 was also released this week to take on Terrapin, along with libssh 0.10.6 and libssh 0.9.8.
In addition to updates, administrators can mitigate attacks by disabling vulnerable encryption modes in the configuration of their SSH servers and instead opting for non-vulnerable algorithms such as AES-GCM. However, there is a risk that if the server is configured incorrectly or your client does not support the configuration, access to the server may be lost. It is also worth noting that older versions of OpenSSH (6.2 and 6.3) are vulnerable to a buffer overflow when using AES-GCM.
In conclusion, Terrapin is not a simple software bug that can be fixed with a single component update. Rather, it requires updates to both clients and servers to protect connections from prefix truncation attacks. This highlights the need to increase awareness of the issue across all SSH client and server implementations, thus representing a considerable effort for the computing community.
