Terrapin attacks can downgrade security of OpenSSH connections

Academic researchers developed a new attack called Terrapin that manipulates sequence numbers during the handshake process to break the SSH channel integrity when certain widely-used encryption modes are used.

This manipulation lets attackers remove or modify messages exchanged through the communication channel, which leads to downgrading the public key algorithms used for user authentication or disabling defenses against keystroke timing attacks in OpenSSH 9.5.

"The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago." - Ruhr University Bochum

A Terrapin attack lowers the security of the established connection by truncating important negotiation messages without the client or server noticing it.

Researchers from the Ruhr University Bochum developed the Terrapin attack and also discovered exploitable implementation flaws in AsyncSSH.

The weaknesses and flaws associated with the attack are bow identified as CVE-2023-48795, CVE-2023-46445 and CVE-2023-46446.

One thing to note about Terrapin is that the attackers need to be in an adversary-in-the-middle (MiTM) position at the network layer to intercept and modify the handshake exchange, and the connection must be secured by either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.

The data in the messages exchanged after the completion of the handshake determines the severity of the attack’s repercussions.

Terrapin attack overview
Terrapin attack overview

Despite the specific requirements for Terrapin, the extensive adoption of the mentioned encryption modes (scans show 77%) makes the attack feasible in a real-world scenario.

“The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago,” say the researchers, adding that “these have been adopted by a wide range of SSH implementations, therefore affecting a majority of current implementations.”

Multiple vendors are gradually mitigating the security problem. One solution is to implement a strict key exchange that makes package injection during the handshake unattainable.

However, it will take a while for such an issue to be addressed universally and the researchers note that the strict key exchange countermeasure is only effective when implemented on both the client and the server.

The team has published a Terrapin vulnerability scanner on GitHub, which admins can use to determine if an SSH client or server is vulnerable to the attack. 

Terrapin is not a simple software bug that can be fixed with an update to a single library or component. Instead, clients and servers need to be updated to protect the connection against prefix truncation attacks. - Ruhr University Bochum

Right now, the biggest mitigation factor for the attack is the MiTM requirement, which makes Terrapin a less severe threat. For this reason, patching CVE-2023-48795 may not be a priority in many cases.

More details about the Terrapin attack are available in the technical whitepaper released by the German researchers.

Related Articles:

Critical Kubernetes Image Builder flaw gives SSH root access to VMs

FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

New ShrinkLocker ransomware decryptor recovers BitLocker password

Microsoft Exchange adds warning to emails abusing spoofing flaw