New Terrapin Flaw Could Let Attackers Downgrade SSH Protocol Security

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection’s security by breaking the integrity of the secure channel.

Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the “first ever practically exploitable prefix truncation attack.”

“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it,” researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk said.

SSH is a method for securely sending commands to a computer over an unsecured network. It relies on cryptography to authenticate and encrypt connections between devices.

This is accomplished by means of a handshake in which a client and server agree upon cryptographic primitives and exchange keys required for setting up a secure channel that can provide confidentiality and integrity guarantees.

However, a bad actor in an active adversary-in-the-middle (AitM) position with the ability to intercept and modify the connection’s traffic at the TCP/IP layer can downgrade the security of an SSH connection when using SSH extension negotiation.

“The attack can be performed in practice, allowing an attacker to downgrade the connection’s security by truncating the extension negotiation message (RFC8308) from the transcript,” the researchers explained.

“The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks in OpenSSH 9.5.”

Another crucial prerequisite necessary to pulling off the attack is the use of a vulnerable encryption mode such as ChaCha20-Poly1305 or CBC with Encrypt-then-MAC to secure the connection.

“In a real-world scenario, an attacker could exploit this vulnerability to intercept sensitive data or gain control over critical systems using administrator privileged access,” Qualys said. “This risk is particularly acute for organizations with large, interconnected networks that provide access to privileged data.”

The flaw impacts many SSH client and server implementations, such as OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear, prompting the maintainers to release patches to mitigate potential risks.

“Because SSH servers and OpenSSH in particular are so commonly used throughout cloud-based enterprise application environments, it’s imperative for companies to ensure they have taken appropriate measures to patch their servers,” Yair Mizrahi, senior security researcher of security research at JFrog, told The Hacker News.

“However, a vulnerable client connecting to a patched server will still result in an vulnerable connection. Thus, companies must also take steps to identify every vulnerable occurrence across their entire infrastructure and apply a mitigation immediately.”

Update

According to the Shadowserver Foundation, nearly 11 million internet-exposed SSH servers are vulnerable to the Terrapin attack. A majority of the instances have been identified in the U.S. (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000).