Terrapin attack allows to downgrade SSH protocol security
January 02, 2024
Researchers discovered an SSH vulnerability, called Terrapin, that could allow an attacker to downgrade the connection’s security.
Security researchers from Ruhr University Bochum (Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk) discovered a vulnerability, called Terrapin (CVE-2023-48795, CVSS score 5.9), in the Secure Shell (SSH) cryptographic network protocol. An attacker can trigger the flaw to downgrade the connection’s security implemented by the protocol.
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
Terrapin is a prefix truncation attack, it works by breaking the integrity of SSH’s secure channel.
“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.” reads the advisory published by the researchers. “The attack can be performed in practice, allowing an attacker to downgrade the connection’s security by truncating the extension negotiation message (RFC8308) from the transcript. The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks in OpenSSH 9.5.”
The truncation may result in the utilization of less secure client authentication algorithms and the deactivation of specific countermeasures against keystroke timing attacks in OpenSSH 9.5.
To perform the Terrapin attack, a threat actor must be able to perform a MitM attack at the network layer. Another pre-requirement is that the connection must be secured by either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.
The Terrapin attack could allow to intercept sensitive data or take over critical systems using administrator privileged access.
The following image shows the Terrapin attack.
“The attacker can drop the EXT_INFO message, used for negotiating several protocol extensions, without the client or server noticing it. Usually, packet deletion would be detected by the client when receiving the next binary packet sent by the server, as sequence numbers would mismatch.” continues the analysis. “To avoid this, an attacker injects an ignored packet during the handshake to offset the sequence numbers accordingly.”
The researchers published a full technical paper titled “Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation.”
The experts also published a simple console application on GitHub written in Go that can allow to determine whether an SSH server or client is vulnerable to the Terrapin attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Terrapin attack)