TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Networking / Security

The Terrapin Attack: A New Threat to SSH Integrity

Researchers at Ruhr University have found a significant vulnerability that targets the SSH protocol by manipulating the handshake process.
Dec 28th, 2023 8:10am by
Featued image for: The Terrapin Attack: A New Threat to SSH Integrity
Feature image via Terrapin-Attack.com

This new vulnerability, Terrapin, breaks the integrity of SSH’s secure channel. Yes, that’s just as bad as it sounds.

Anyone who does anything on the cloud or programming uses Secure Shell (SSH). So any vulnerability is bad news. Guess what? I’ve got some bad news. Researchers at Ruhr University have found a  significant vulnerability in the SSH cryptographic network protocol, which they’ve labeled Terrapin.

This new security vulnerability, which has gotten three CVEs, CVE-2023-48795: General Protocol Flaw; CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH; and CVE-2023-46446: Rogue Session Attack in AsyncSSH poses a serious threat to internet security. Terrapin enables attackers to compromise the integrity of SSH connections, which are widely used for secure access to network services.

The Terrapin attack targets the SSH protocol by manipulating prefix sequence numbers during the handshake process. This manipulation enables attackers to remove messages sent by the client or server at the beginning of the secure channel without detection. The attack can lead to using less secure client authentication algorithms and deactivation-specific countermeasures against keystroke timing attacks in OpenSSH 9.5.

Terrapin is a Man-in-the-Middle

The good news — yes, there is good news — is that while the Terrapin attack is a practical threat, it requires man-in-the-middle (MITM) capabilities to be effective. In other words, your network must already have been cracked so that an attacker can intercept and modify the connection’s traffic before Terrapin can give you trouble. 

Still, the vulnerability is particularly concerning due to its broad applicability. It affects connections secured by the popular ChaCha20-Poly1305 or CBC with Encrypt-then-MAC encryption modes extensively. The researchers have found that 77% of internet SSH servers support at least one of these modes. That’s a lot of vulnerable systems.

Is yours vulnerable? Probably, but you don’t have to take my word for it. The researchers have created a vulnerability scanner called Terrapin Scanner. Pre-built binaries for all major platforms and the source code are available.

I run several servers and cloud instances, so I checked them. You should too. All of my systems are vulnerable.  

You see, this is not an attack on a specific SSH implementation. No, Terrapin can target pretty much every — yes, every SSH — client and server. 

That’s because Terrapin is a prefix truncation attack, which targets the SSH protocol itself.  It does this by breaking SSH’s secure channel’s integrity by carefully adjusting the sequence numbers during the handshake. This enables an attacker to remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without anyone noticing the data thievery. 

This is a new kind of attack.  It targets the cryptographic network protocols themselves and is not an implementation. The researchers also say this is the first-ever practically exploitable prefix truncation attack. 

Not all SSH protocols are vulnerable. AES-GCM (RFC5647) is not affected by Terrapin, nor is the original RFC4253 Encrypt-and-MAC paradigm.

Other cryptographic network protocols, such as Transport Layer Security (TLS) are also unaffected. IPSec/IKE is also immune to Terrapin. 

In response to this discovery, dozens of various SSH implementation developers have been contacted. Many have already updated their SSH implementations to support an optional strict key exchange. This countermeasure introduces sequence number resets, removing an attacker’s ability to inject packets during the initial, unencrypted handshake. Check with your vendor and the Terrapin patch list to see if your SSH clients and servers have been patched. 

It’s worth noting that Microsoft will not be updating Win32-OpenSSH (the SSH implementation built into Windows 10 / 11 / Server 2019 / 2022) via Windows Update. Instead, you must manually update its implementations to 9.5.0.0p1-Beta.

Microsoft is Wrong About Terrapin

 Microsoft’s logic is that the impact on Win32-OpenSSH is limited This is a major mistake.  Microsoft’s decision allows unknown server-side implementation bugs to remain exploitable in a Terrapin-like attack, even if the server got patched to support “strict kex.” As one Windows user noted, “This puts Microsoft customers at risk of avoidable Terrapin-style attacks targeting implementation flaws of the server.” Exactly so. 

You see, for this protection to be effective, both client and server must be patched. If one or the other is vulnerable, the entire connection can still be attacked. So to be safe, you must patch and update both your client and server SSH software. So, if you’re Windows and you haven’t manually updated your workstations, their connections are open to attack. 

While patches and updates are being released, the widespread nature of this vulnerability means that it will take time for all clients and servers to be updated. Because you must already have an MITM attacker in place to be vulnerable, I wouldn’t go spend the holiday season worrying myself sick. I mean, you’re sure you don’t already have a hacker inside your system, right? Right!? 

That said, I’d also patch my software as fast as my vendor releases a patch. Terrapin is nothing to fool around with. 

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.