SSH is like a secret passage on the Internet, making it safe to access important stuff on computers far away and it's used by millions of servers worldwide. A security flaw was found in the SSH protocol configuration which allows for an attack called Terrapin.

Terrapin is a sophisticated attack that targets the security of SSH connections. Essentially, it manipulates the initial handshake process between the client and server to remove certain messages without detection. By playing with the order of messages when computers connect, a sneaky person can sneakily remove some of the messages at the start of the secret passage without anyone noticing.

This manipulation can compromise the security of the connection by tampering with the negotiation of security features. It can also exploit vulnerabilities in the way servers handle connections, allowing attackers to impersonate users or gain unauthorized access.

To execute the Terrapin attack, an attacker needs to intercept and modify network traffic, and the connection must use specific encryption methods. Unfortunately, many SSH connections use these vulnerable encryption modes, making them susceptible to this attack.

Fix and prevent the Terrapin attack

The Terrapin attack targets vulnerabilities in the SSH transport layer protocol, along with specific cryptographic algorithms and encryption methods introduced by OpenSSH more than a decade ago. These outdated methods have since been adopted by many SSH implementations, making them vulnerable to attack. The following is the list of vulnerable ciphers:

  • ChaCha20-Poly1305: chacha20-poly1305@openssh.com
  • CBC-mode ciphers (with Encrypt-then-MAC): any encryption algorithm suffixed -cbc in combination with any MAC algorithm suffixed -etm@openssh.com

This security issue has been assigned the following CVE numbers:

  • CVE-2023-48795: General Protocol Flaw
  • CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
  • CVE-2023-46446: Rogue Session Attack in AsyncSSH

The presence of this vulnerability can be tested with TEQNIX in just a few clicks. Head over to Auto-Scan, select the target and by pressing Start you can test if your OpenSSH server is prone to this attack. If you are vulnerable, the mitigation steps in the TEQNIX finding will help you in taking the required steps to remdiate this flaw.

Test now for the Terrapin attack against your servers.