A team of researchers from the Ruhr University Bochum has presented a new attack technique on the SSH protocol that is likely to compromise the integrity of secure SSH connections. The researchers explain that the attack, known as Terrapin, is made possible by targeted adjustments to sequence numbers during the handshake as part of the connection setup in their report.
This allows the attacker to remove some messages sent by the client or server when establishing a secure channel without the participants noticing. This also includes a message for extension negotiation (RFC8308).
Removing these could, for example, result in a fallback to less secure client authentication algorithms and disable certain mitigations against keystroke timing attacks in OpenSSH 9.5.
Access to network traffic required
To successfully exploit Terrapin, an attacker must be able to perform a Man in the Middle (MitM) attack on the client-server connection and intercept and alter traffic at the TCP/IP layer. In addition, the SSH connection must be encrypted with Chacha20-Poly1305 or with Encrypt-then-MAC in CBC mode.
However, the configurations mentioned are probably used more often. “Our scan found that at least 77 percent of SSH servers on the Internet support at least one mode that can be exploited in practice”the researchers explain in this regard. On Github A vulnerability scanner is available to check the vulnerability. The research team explains technical details about Terrapin in one detailed paper (PDF).
Many common SSH implementations affected
Terrapin is based on a as CVE-2023-48795 registered vulnerability affecting numerous SSH implementations, including OpenSSH, Putty and AsyncSSH, as well as the libssh and libssh2 libraries. Corresponding patches already exist for many of these tools. However, for these to be effective, both the clients and the servers must be updated. Alternatively, you could also switch to unaffected encryption algorithms such as AES-GCM.
With CVE-2023-46445 and CVE-2023-46446 The researchers also point out two other vulnerabilities in AsyncSSH, which are probably due to implementation errors. In connection with a Terrapin attack, it is possible for attackers to log a target person’s client into another account unnoticed. This means that MitM attacks can be carried out at the session level.