We found a flaw in the SSH specification which allows a MitM attacker to drop certain messages from the secured connection. If you are using SSH, check this out: https://terrapin-attack.com 🐢
Joined work with Fabian Bäumer and Jörg Schwenk at Ruhr University Bochum, HGI, funded by CASA Excellence Cluster / DFG.
Our attack exploits that SSH does not authenticate the entire handshake, but only parts of it, and that sequence numbers carry over to the encrypted channel. This allows an attacker to insert a message into the handshake while dropping one from the secure channel.
Here is an example where the attacker uses IGNORE to drop EXT_INFO. This downgrades client authentication algorithms, and disables keystroke timing countermeasures in OpenSSH 9.5.
In AsyncSSH v2.14.0 and earlier, the attacker can even control EXT_INFO, or log the victim into an attacker controlled shell.
Affected are ChaCha20-Poly1305 and Encrypt-then-MAC modes like CBC-EtM and CTR-EtM. These are supported by 77% of SSH servers on the internet - 57% list one of them as their preferred choice.
Fixing this requires changes to the specification. OpenSSH implements a new "strict kex" countermeasure that has been adopted by other vendors. Check your vendor for updates!
lambdafu
hanno
Neil Madden