DavidDec 18, 2023
lambdafu

We found a flaw in the SSH specification which allows a MitM attacker to drop certain messages from the secured connection. If you are using SSH, check this out: https://terrapin-attack.com 🐢

Joined work with Fabian Bäumer and Jörg Schwenk at Ruhr University Bochum, HGI, funded by CASA Excellence Cluster / DFG.

Terrapin Attack

Dec 18, 2023 at 3:51pmWeb
Show threadlambdafuDec 18, 2023

Our attack exploits that SSH does not authenticate the entire handshake, but only parts of it, and that sequence numbers carry over to the encrypted channel. This allows an attacker to insert a message into the handshake while dropping one from the secure channel.

Here is an example where the attacker uses IGNORE to drop EXT_INFO. This downgrades client authentication algorithms, and disables keystroke timing countermeasures in OpenSSH 9.5.

Show threadlambdafuDec 18, 2023

In AsyncSSH v2.14.0 and earlier, the attacker can even control EXT_INFO, or log the victim into an attacker controlled shell.

Affected are ChaCha20-Poly1305 and Encrypt-then-MAC modes like CBC-EtM and CTR-EtM. These are supported by 77% of SSH servers on the internet - 57% list one of them as their preferred choice.

Fixing this requires changes to the specification. OpenSSH implements a new "strict kex" countermeasure that has been adopted by other vendors. Check your vendor for updates!

Show threadhannoDec 18, 2023
@lambdafu I have a question and I wonder if you can add it to the FAQ so I don't have to read the paper :-) Why is GCM not affected? Is there anything inherently "better" about GCM (compared to chacha/poly, that'd be a controversial take!) or is it more or less "by accident"?
Show threadNeil MaddenDec 18, 2023
@hanno @lambdafu looks like it’s the latter.
Show threadlambdafuDec 18, 2023
@hanno Yes, GCM derives the invocation counter only from the IV and a counter that starts at zero, ignoring the SSH standard. The RFC explains that because it is a constant offset from the actual sequence number, that should not be an issue. But in fact, this prevents the attack!
Show threadlambdafuDec 18, 2023
@hanno We added it to the FAQ, thanks for the suggestion!
Show threadAlpine Linux Dec 18, 2023

Tracking issue for #AlpineLinux

https://gitlab.alpinelinux.org/alpine/aports/-/issues/15593

Terrapin attack: prefix truncation vulnerability affecting ssh implementations allowing MitM attackers to drop packets (CVE-2023-48795) (#15593) · Issues · alpine / aports · GitLab

https://terrapin-attack.com/ Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's...

GitLab
Show threadfloris 🍉Dec 18, 2023
@lambdafu love the name explanation and illustration ❤️
Show threadlambdafuDec 19, 2023
@floris Thanks! It brings a bit of color into the world for sure. 🐢
Show threadBjørn BäuchleDec 19, 2023
@lambdafu danke! Könnt ihr noch eure nicht-Xitter-handles auf die Webseite packen?
Show threadFabian BäumerDec 19, 2023
@baeuchle @lambdafu Endlich für mich ein Anreiz mir auch einen Handle zuzulegen. 😀​ Wir haben unsere Handles jetzt auch auf der Webseite.
Show threadDFN-CERTJan 4, 2024

thx @lambdafu, @Skrillor et al @ RUB for the excellent research on the [Terrapin Attack](https://terrapin-attack.com).

The #Terrapin Scanner is available here:
https://github.com/RUB-NDS/Terrapin-Scanner

For Your reference:

- CVE-2023-48795: General Protocol Flaw
- CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
- CVE-2023-46446: Rogue Session Attack in AsyncSSH

Terrapin Attack