Academic researchers developed a new attack called Terrapin that manipulates sequence numbers during the handshake process to break the SSH channel integrity when certain widely-used encryption modes are used.
This manipulation lets attackers remove or modify messages exchanged through the communication channel, which leads to downgrading the public key algorithms used for user authentication or disabling defenses against keystroke timing attacks in OpenSSH 9.5.
A Terrapin attack lowers the security of the established connection by truncating important negotiation messages without the client or server noticing it.
Researchers from the Ruhr University Bochum developed the Terrapin attack and also discovered exploitable implementation flaws in AsyncSSH.
The weaknesses and flaws associated with the attack are bow identified as CVE-2023-48795, CVE-2023-46445 and CVE-2023-46446.
One thing to note about Terrapin is that the attackers need to be in an adversary-in-the-middle (MiTM) position at the network layer to intercept and modify the handshake exchange, and the connection must be secured by either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.
The data in the messages exchanged after the completion of the handshake determines the severity of the attack’s repercussions.
Despite the specific requirements for Terrapin, the extensive adoption of the mentioned encryption modes (scans show 77%) makes the attack feasible in a real-world scenario.
“The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago,” say the researchers, adding that “these have been adopted by a wide range of SSH implementations, therefore affecting a majority of current implementations.”
Multiple vendors are gradually mitigating the security problem. One solution is to implement a strict key exchange that makes package injection during the handshake unattainable.
However, it will take a while for such an issue to be addressed universally and the researchers note that the strict key exchange countermeasure is only effective when implemented on both the client and the server.
The team has published a Terrapin vulnerability scanner on GitHub, which admins can use to determine if an SSH client or server is vulnerable to the attack.
Right now, the biggest mitigation factor for the attack is the MiTM requirement, which makes Terrapin a less severe threat. For this reason, patching CVE-2023-48795 may not be a priority in many cases.
More details about the Terrapin attack are available in the technical whitepaper released by the German researchers.