December 21 2023

SSH affected by Terrapin security vulnerability

There's no need to panic, but update SSH anyway to be on the safe side.

An inherent vulnerability in the Secure Shell (SSH) protocol presents the possibility of being exploited by a strategically positioned adversary, potentially undermining the integrity of SSH connections if certain conditions are met. This type of vulnerability can allow an attacker, through a well-executed man-in-the-middle (MITM) attack, to force SSH clients to adopt more vulnerable authentication methods and disable specific security measures. The exact scope of this vulnerability is complex to determine due to the variety of client-server configurations, different protocol implementations, and other contextual variables. It is important to note that SSH is commonly used to establish secure remote connections and administer systems via a command line interface.

One attack, dubbed the “Terrapin Attack,” was described in detail in a technical document recently published by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk, respected computer scientists affiliated with Ruhr University in Bochum, Germany. This attack was brought to light in October when researchers discreetly notified SSH client and server developers of the vulnerability, prompting a mitigation process that has now become public knowledge with the release of patches and related information.

The research team has also made accompanying scripts and additional materials available on GitHub for those interested in the more granular technical details. A further open source tool was developed to test the susceptibility of SSH clients and servers to the Terrapin attack. Following this discovery, it is expected that software updates for SSH will be distributed to users, and in the meantime, several mitigation strategies have been proposed. Despite this, there is no reason to be overly alarmed as the attack requires an active MITM location on the vulnerable connection rather than a direct attack on the server. This is more of a declassification attack rather than a decryption or command injection issue. In fact, there are methodologies to immediately protect yourself from Terrapin attacks.

It is critical to be aware of three specific CVEs: CVE-2023-48795, which concerns the generic vulnerability at the SSH protocol level; and CVE-2023-46445 and CVE-2023-46446, which are specific to the AsyncSSH Python SSH client. AsyncSSH is particularly notable, considering its approximately 60.000 daily downloads. This open source client was found to have implementation errors that could be exploited in a Terrapin attack to, for example, trick a victim into logging into a shell account under the attacker's control rather than their own. AsyncSSH addressed these vulnerabilities in versions 2.14.1 and 2.14.2, respectively.

How does Terrapin Attack work on SSH?

The Terrapin attack, specifically CVE-2023-48795, is a prefix truncation attack that allows a MITM attacker to degrade the security of an SSHv2 connection during the extension negotiation phase. This attack is analogous to an issue identified in 2015 in TLS 1.3 and subsequently fixed. A successful Terrapin attack may result in the use of less robust client authentication algorithms and the disabling of specific countermeasures against keystroke-based attacks in OpenSSH 9.5. In particularly specific circumstances, it could be used to decipher some secrets, such as a user's password or parts of it during login, although this is a non-trivial event and unlikely to be achieved in practice.

Terrapin's MITM attack mechanism involves inserting a plaintext “ignore” message into the pre-secure connection during the handshake, causing the sequence counter for messages received by the client to increment, while the message in itself is ignored. Once the secure channel is established, the MITM attacker prevents the server from sending messages to the client regarding additional defenses. Although the message is encrypted, the attacker simply prevents it from arriving, and the client does not detect it or act on it. This maneuver is critical because correct counts of messages sent and received are subsequently used to verify the integrity of the entire handshake process. If the counts appear correct, the connection continues as if nothing had happened.

Terrapin Attack

It is important to note that the encryption algorithm adopted for the secure channel is crucial in determining whether an SSH connection is susceptible to a successful attack. Some algorithms, such as ChaCha20-Poly1305, have been identified as “vulnerable and perfectly exploitable” due to the way sequence numbers are used in key derivation. While there is no inherent cryptographic weakness in these algorithms, the way they are implemented for SSH can present vulnerabilities. CBC-Encrypt-then-MAC (CBC-EtM) was also found to be probabilistically vulnerable and exploitable, although, depending on the specific implementation, the attack may not be successful. The CTR-Encrypt-then-MAC algorithm is vulnerable but not practically exploitable.

Experts found that more than three-quarters of publicly exposed SSH servers support “at least one mode that can be exploited in practice,” with 57% of these setting an exploitable algorithm as their preferred choice. Despite the severity of this discovery, experts stressed that there is no need to disable SSH tools or make them an immediate priority. The attack requires an active MITM attacker that can intercept and modify connection traffic at the TCP/IP layer. Furthermore, to be effective, the attack requires negotiating ChaCha20-Poly1305 or any CBC cipher in combination with Encrypt-then-MAC mode as the connection encryption mode.

In terms of mitigation, it is recommended to keep an eye out for patches or updates and install them as soon as possible. For example, for Linux users, these updates should be available via your distribution's usual update method. Recently, version 9.6 of OpenSSH was released, which among other things addressed Terrapin with a more rigorous key exchange protocol that, if supported by both server and client, should effectively thwart these attacks. It is important to note that connecting a vulnerable client to a patched server, and vice versa, still results in a vulnerable connection. Putty 0.8 was also released this week to take on Terrapin, along with libssh 0.10.6 and libssh 0.9.8.

In addition to updates, administrators can mitigate attacks by disabling vulnerable encryption modes in the configuration of their SSH servers and instead opting for non-vulnerable algorithms such as AES-GCM. However, there is a risk that if the server is configured incorrectly or your client does not support the configuration, access to the server may be lost. It is also worth noting that older versions of OpenSSH (6.2 and 6.3) are vulnerable to a buffer overflow when using AES-GCM.

In conclusion, Terrapin is not a simple software bug that can be fixed with a single component update. Rather, it requires updates to both clients and servers to protect connections from prefix truncation attacks. This highlights the need to increase awareness of the issue across all SSH client and server implementations, thus representing a considerable effort for the computing community.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

Back to top