Secure Shell (SSH) is the backbone of secure remote access, underpinning everything from routine server administration to safeguarding sensitive data transfers across the internet. It’s estimated to protect over 15 million servers on the open internet alone, making its security paramount. However, a recently discovered vulnerability known as the Terrapin attack has exposed potential weaknesses in this widely adopted protocol.
Terrapin is a prefix truncation attack that targets the integrity of SSH’s secure communication channel. By manipulating sequence numbers during the initial handshake, attackers can effectively remove a segment of messages exchanged between the client and server at the beginning of a secure session. This manipulation goes unnoticed by both parties, creating a significant security risk.
The practical implications of Terrapin are serious. Attackers can leverage this vulnerability to downgrade connection security by removing the extension negotiation message (RFC8308). This downgrade can force the use of weaker client authentication algorithms and disable countermeasures against keystroke timing attacks, particularly in systems using OpenSSH 9.5.
Furthermore, Terrapin can be a gateway to exploiting deeper implementation flaws. Researchers have uncovered vulnerabilities in AsyncSSH servers where Terrapin can be used to sign a victim’s client into a different account without detection. This opens doors for sophisticated phishing attacks and potential Man-in-the-Middle (MitM) attacks within seemingly secure SSH sessions.
To execute a Terrapin attack, an attacker needs MitM capabilities at the network layer, meaning they must be able to intercept and alter network traffic. Crucially, the targeted connection must be using either ChaCha20-Poly1305 or CBC encryption combined with Encrypt-then-MAC. Alarmingly, scans indicate that these encryption modes are widely used, making Terrapin a relevant threat to a vast number of SSH sessions in real-world scenarios.
Understanding the Terrapin Attack Mechanism
The image above visually explains how the Terrapin attack works. An attacker, positioned as a Man-in-the-Middle, can strategically drop the EXT_INFO message during the SSH handshake. This message is critical for negotiating various protocol extensions that enhance security. Ordinarily, any packet deletion would be immediately detected because of sequence number mismatches when the next packet arrives. However, the Terrapin attack cleverly circumvents this detection. By injecting an “ignored packet” during the handshake, the attacker precisely offsets the sequence numbers, making the truncation invisible to both the client and server. This subtle manipulation allows the attacker to alter the secure channel setup without raising any flags.
For a deeper dive into the technical aspects of this vulnerability, you can refer to the full research paper:
Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation, Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk.
Further details are available on the USENIX Security ’24 website and arXiv. The proof-of-concept artifacts and tools are publicly accessible on GitHub.
Protect Your SSH Servers: Utilizing an SSH Scan Tool
Given the potential risks associated with the Terrapin attack, proactively assessing your SSH server’s vulnerability is crucial. To aid in this process, vcdstool.com provides a specialized Ssh Scan Tool. This tool is designed to quickly and efficiently determine if your SSH server or client is susceptible to the Terrapin attack.
Our SSH scan tool works by establishing a connection to your SSH server (or listening for incoming client connections) and analyzing the offered encryption modes. It specifically checks for the presence of vulnerable encryption algorithms and verifies if the strict key exchange countermeasure is supported by the server. It’s important to note that the SSH scan tool does not perform a complete handshake or attempt to execute the Terrapin attack itself. Instead, it focuses on identifying potential vulnerabilities based on protocol configurations.
Using an SSH scan tool like ours is the first step in securing your systems against Terrapin. By identifying vulnerable servers, you can prioritize patching and configuration updates to mitigate the risk.
Pre-built binaries of similar vulnerability scanners for various platforms, along with source code, are often available on platforms like GitHub. While vcdstool.com aims to provide a user-friendly and readily accessible SSH scan tool, exploring other available scanners can also be beneficial for comprehensive security checks.
Frequently Asked Questions about the Terrapin Vulnerability and SSH Security
Q: As a system administrator, should I immediately address this vulnerability?
A: While Terrapin is a significant vulnerability, immediate panic may not be necessary. The attack requires a Man-in-the-Middle attacker who can actively intercept and modify network traffic at the TCP/IP layer. This is more feasible on local networks than across the broader internet. Additionally, the attack is contingent on the use of specific vulnerable encryption modes: ChaCha20-Poly1305 or CBC ciphers with Encrypt-then-MAC.
However, it’s prudent to take this vulnerability seriously. As a temporary workaround before patches are fully implemented, you can disable the vulnerable [email protected] encryption and [email protected] MAC algorithms in your SSH server (or client) configuration. Opt for safer alternatives like AES-GCM.
Important Warning: Incorrectly modifying SSH configurations can lock you out of your server. Furthermore, older OpenSSH versions (6.2 and 6.3) have a known buffer overflow vulnerability with AES-GCM (https://www.openssh.com/txt/gcmrekey.adv). Exercise caution and test configurations thoroughly.
Q: What can attackers achieve by exploiting Terrapin?
A: The primary risk is an extension downgrade attack. By truncating the extension negotiation message, attackers can force the SSH connection to use less secure settings. The practical impact varies depending on the supported extensions. Commonly, this weakens client authentication, especially when RSA public keys are used. In OpenSSH 9.5, Terrapin can also disable countermeasures against keystroke timing attacks.
Beyond downgrades, Terrapin can enable exploitation of other implementation flaws. The AsyncSSH vulnerabilities, leading to potential MitM at the session layer, highlight this amplified risk.
The overall consequences depend on the messages exchanged post-handshake. If you utilize custom SSH services and bypass standard authentication, carefully assess if dropping initial messages introduces security weaknesses.
Q: Who is vulnerable to the Terrapin attack?
A: The vulnerability is widespread. Terrapin exploits fundamental weaknesses in the SSH transport layer protocol combined with modern cryptographic algorithms and encryption modes popularized by OpenSSH over the last decade. These technologies are now integrated into a vast majority of SSH implementations.
In practice, any SSH connection employing ChaCha20-Poly1305 or CBC-mode ciphers with Encrypt-then-MAC is potentially vulnerable. While CTR-mode ciphers with Encrypt-then-MAC are theoretically vulnerable, this is less exploitable in real-world scenarios.
Q: How practical is a Terrapin attack in reality?
A: The requirement for a Man-in-the-Middle position is the main limiting factor. Executing a MitM attack across the internet is complex. However, within local networks, this threat model becomes more plausible.
The widespread adoption of vulnerable encryption modes significantly increases the attack surface. Scans indicate that a substantial percentage of internet-facing SSH servers support at least one exploitable mode.
Q: How can I determine if my SSH client/server is vulnerable?
A: The easiest way is to use an SSH scan tool. Specifically, if your SSH implementation supports and is configured to offer the [email protected] encryption algorithm, or any -cbc suffixed encryption algorithm with any [email protected] suffixed MAC algorithm, it is likely vulnerable to Terrapin.
Utilize the SSH scan tool provided by vcdstool.com or other reputable scanners to definitively assess your client or server’s vulnerability.
Q: If I patch my SSH client/server, am I fully protected?
A: Protection depends on both client and server being patched. The strict key exchange countermeasure requires support from both sides of the connection to be effective. A patched server connected to a vulnerable client, or vice-versa, remains vulnerable. Ensure both ends of your SSH connections are updated.
Q: Does this vulnerability have CVE numbers?
A: Yes, multiple CVEs have been assigned:
- CVE-2023-48795: General Protocol Flaw
- CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
- CVE-2023-46446: Rogue Session Attack in AsyncSSH
- CVE-2024-41909: General Protocol Flaw (Apache MINA SSHD)
Q: Is Terrapin a novel attack?
A: Yes, Terrapin is considered a pioneering attack in a new class of attacks targeting cryptographic network protocols. It’s the first practical prefix truncation attack known to researchers. Prior theoretical discussions of prefix truncation attacks existed, but Terrapin is the first to demonstrate real-world exploitability.
Q: Why is it named “Terrapin”?
A: The name “Terrapin” was chosen because SSH and terrapins share a commonality: shells. The researchers opted for this name, appreciating terrapins (and turtles) as “cute animals.”
Q: How have vendors responded to the Terrapin vulnerability?
A: Many vendors have responded by updating their SSH implementations to include support for “strict key exchange.” This is a backwards-incompatible enhancement to the SSH handshake that introduces sequence number resets, preventing the packet injection that Terrapin relies upon. However, full protection necessitates both client and server supporting this feature.
Q: Are other protocols vulnerable to prefix truncation attacks?
A: Currently, no other practical prefix truncation attacks are publicly known for other cryptographic network protocols. Protocols like TLS reset message sequence numbers upon key changes and authenticate the entire handshake, mitigating this type of attack. IPSec/IKE also resets sequence numbers, offering similar protection.
Q: Are other cipher modes affected besides ChaCha20-Poly1305 and CBC with Encrypt-then-MAC?
A: AES-GCM (RFC5647) is not vulnerable to Terrapin because it doesn’t rely on SSH sequence numbers. It uses an IV derived from key derivation as its nonce, incrementing it independently. The original Encrypt-and-MAC paradigm from RFC4253, which protects plaintext integrity, also thwarts the Terrapin attack.
Q: Is naming this vulnerability “Terrapin” and creating a dedicated webpage justified?
A: Yes, the researchers believe so. Terrapin isn’t a simple software bug; it’s a protocol-level vulnerability requiring widespread awareness and coordinated updates across numerous SSH implementations. Raising awareness across the entire SSH ecosystem is a significant undertaking. The name, logo, and webpage are part of this effort to help users and vendors understand and address the long-term implications of the Terrapin attack.
For further inquiries, you can contact the research team via the provided contact methods in the original publication.
Responsible Disclosure Timeline (As per original publication)
- 2023-10-17: Initial contact with OpenSSH and Ron Frederick (AsyncSSH author)
- 2023-11-08: AsyncSSH patch released
- 2023-11-17: Initial vendor contact (round 1)
- 2023-11-17: Disclosure to German CERT-Bund
- 2023-11-21: Second round of vendor contact
- 2023-12-11: Disclosure to distros mailing list
- 2023-12-18: Public Disclosure
[
