Earlier this week, researchers from Ruhr University Bochum in Germany announced the discovery of a new vulnerability impacting the popular SSH protocol. The attack is named Terrapin, and it’s been assigned CVE-2023-48795.
SSH (Secure Shell Protocol) is a cryptographic network protocol that enables secure communication over an unsecured network. It’s a versatile and widely adopted protocol that’s used in countless applications and computing environments.
Terrapin is a man-in-the-middle attack; the flaw allows an attacker to corrupt data being transmitted. This can result in a loss of information or bypass critical security controls such as keystroke timing protections or SHA-2 cryptographic hash requirements, allowing the threat actor to downgrade to SHA-1. Doing so opens up the possibility of other attacks on downstream applications, components, or environments that use SSH. These associated vulnerabilities have been assigned CVE-2023-46445 (Rogue Extension Negotiation Attack in AsyncSSH) and CVE-2023-46446 (Rogue Session Attack in AsyncSSH).
There’s not necessarily a one-size-fits-all remediation for the Terrapin attack. As the Ruhr University researchers explain:
“Due to the widespread adoption of affected cipher modes, patching Terrapin (CVE-2023-48795) is notoriously difficult. To make matters worse, "strict kex" requires both peers, client and server, to support it in order to take effect. A wide variety of SSH implementations started adopting "strict kex" since public disclosure.”
With that said, the Ruhr University researchers have created a vulnerability scanner that you can use to see if your SSH server or client is susceptible. (They’ve also published a list that includes some affected SSH implementations and safe versions.)
Additionally, FOSSA Vulnerability Management subscribers can use our product to locate the CVE(s) in your codebase. You can do this by navigating to the “Packages” tab in the UI and entering the CVE numbers in the “Select a CVE” bar on the bottom-right side of the page. (We've also included a brief video demonstration at the bottom of this article.)
Vulnerability Impact and Significance
How concerned should you be about this vulnerability? While this will vary across organizations and implementations, in general, there is currently little reason to be overly alarmed. Here's why:
- Limited Impact: Terrapin can delete consecutive portions of encrypted messages, which in isolation will typically result in a stuck connection. Some of the most serious impacts identified are in downstream applications implementing SSH, such as
AsyncSSH. An attacker may be able to disable certain keylogging obfuscation features, enabling them to conduct a keylogging attack; or, worst case, a threat actor can sign a victim's client into another account without the victim noticing, enabling phishing attacks. - Difficult to exploit: An active man-in-the-middle attacker and specific encryption modes are prerequisites for the exploit. Intercepting SSH traffic requires a detailed understanding of a target's environment, limiting real-world applicability.
In short, Terrapin is a concern, but not a reason to panic.
Additional Resources: Understanding and Mitigating Terrapin
The Ruhr University researchers who announced the vulnerability have also published several valuable resources for those concerned about their exposure. These include:
Vulnerability scanner: A tool that can be used to determine if you’re vulnerable to the attack.
FAQ: Guidance on how organizations should prioritize remediation, how the attack works, which implementations are vulnerable, and more.
Patches: A list of affected versions and implementations (and the safe, patched versions).
Additionally, FOSSA Vulnerability Management users can reference the video below for guidance on locating the Terrapin CVEs. If you aren't currently a FOSSA user but would like to become one, please reach out to our team.
