CERT-In Advisory
CIAD-2024-0001
Terrapin Attack on SSH Handshake Protocols
Original Issue Date: January 05, 2024
Severity Rating: High
Software Affected
- OpenSSH version prior to 9.6
Overview
The Terrapin attack is a recently discovered vulnerability in the SSH handshake protocol that compromises the integrity of SSH's secure channel. It does this by manipulating sequence numbers during the initial handshake process. This attack poses a significant risk to a vast majority of SSH users due to the widespread adoption of the encryption modes it targets.
Description
The Terrapin attack, a prefix truncation attack targeting SSH, specifically compromises the secure channel's integrity by manipulating sequence numbers. This manipulation can result in:
- Downgrading authentication methods, potentially replacing strong algorithms with weaker ones.
- Disabling defenses against keystroke timing attacks, particularly in OpenSSH 9.5.
- Exploiting additional vulnerabilities in certain SSH implementations for amplified impact.
Affected Systems:
The Terrapin attack primarily affects:
- SSH servers and clients using vulnerable encryption modes: ChaCha20-Poly1305 and CBC with Encrypt-then-MAC are the main targets.
- Older versions of OpenSSH and Dropbear: Versions prior to OpenSSH 9.6 and Dropbear 2022.83 are particularly at risk.
- Other SSH implementations with similar vulnerabilities: Check vendor advisories for specific information.
Potential Impact:
The impact of the Terrapin attack varies depending on your environment and software versions. The success of the attack also depends on the attacker's skill level and their ability to get into a Man-in-the-Middle position on your network. Potential consequences include:
- Unauthorized access to sensitive systems: Exploited passwords or weaker authentication methods could grant attackers access to critical data.
- Data breaches and exfiltration: Sensitive information on vulnerable systems could be stolen and leaked.
- Reputational damage: Security breaches can erode trust and damage an organization's reputation.
Mitigation Strategies:
To effectively mitigate the Terrapin attack, prioritize the following:
- Immediate Update: Patch OpenSSH and other SSH implementations to the latest versions. These versions include fixes for the Terrapin vulnerability.
- Disable Vulnerable Encryption Modes: If updating clients is not immediate, disable ChaCha20-Poly1305 and CBC with Encrypt-then-MAC on both client and server configurations.
- Strict Key Exchange Countermeasure: Ensure both client and server support the strict key exchange countermeasure, a crucial step in mitigating the vulnerability.
- Monitor Network Traffic: Implement security tools and intrusion detection systems to monitor network traffic for suspicious activity, particularly around SSH connections.
- Enforce Strong Security Practices: Implement strong password policies, avoid using SSH over untrusted networks, and regularly audit system configurations for vulnerabilities.
- Stay Informed: Regularly check security advisories and updates for your SSH software and other relevant systems.
Solution
Update to the latest version of OpenSSH:
https://www.openssh.com/portable.html
References
OpenSSH
https://www.openssh.com/security.html
CVE Name
CVE-2023-48795
CVE-2023-46445
CVE-2023-46446
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|