Novel Terrapin Attack Uses Prefix Truncation to Downgrade the Security of SSH Channels

Cyber Threat Summary:
Secure Shell Protocol (SSH) was developed in early 1995, after a password sniffer was used to discover passwords store in plain text on Finland’s Helsinki University of Technology. SSH was one of the “first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as "public key encryption," SSH quickly caught on around the world”. SSH was easy to install on a wide array of operating systems, including the myriad ones that powered the devices administrators used—and the servers those devices connected to remotely.

Today, it’s hard to overstate the importance of the protocol, which underpins the security of apps used inside millions of organizations, including cloud environments crucial to Google, Amazon, Facebook, and other large companies.

Now, nearly 30 years later, researchers have devised an attack with the potential to undermine, if not cripple, cryptographic SSH protections that the networking world takes for granted.

Security Officer Comments:
“Named Terrapin, the new hack works only when an attacker has an active adversary-in-the middle position on the connection between the admins and the network they remotely connect to. Also known as a man-in-the-middle or MitM attack, this occurs when an attacker secretly positioned between two parties intercepts communications and assumes the identity of both the recipient and the sender. This provides the ability to both intercept and to alter communications. While this position can be difficult for an attacker to achieve, it’s one of the scenarios from which SSH was thought to have immunity” (Arstechnica, 2023).

For Terrapin to be viable, the connection it interferes with also must be secured by either "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC, which according to the researchers is the case for nearly 77 percent of SSH servers exposed to the Internet.

“Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake—the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream” (Arstechnica, 2023).

In its current incarnation, Terrapin involves three vulnerabilities:

  • CVE-2023-48795
  • CVE-2023-46445
  • CVE-2023-46446

CVE-2023-48795 is the general flaw in the SSH protocol allowing for the prefix truncation attack. CVE-2023-46445 and CVE-2023-46446, meanwhile, reside in an app named AsyncSSH, which implements the SSH protocol. While the latter two implementation flaws don’t affect the SSH protocol directly, they can only be exploited when coupled with Terrapin, and as such demonstrate the adverse effects that can result from Terrapin. (The AsyncSSH vulnerabilities have been fixed in version 2.14.1.)

The researchers have devised two ways to wield the prefix truncation attack. One way downgrades some of the extensions parties of OpenSSH and other SSH apps can use to secure connections. The other uses CVE-2023-46445 to replace the extension information message sent by the server, letting the attacker control its content. This is a bit more severe than just dropping the message (as in the general attack).

Suggested Correction(s):
People who want to know if the SSH client or server they use is vulnerable to Terrapin can use a custom scanner developed by the researchers. It connects to a server or monitors the incoming client connection to determine whether one of the vulnerable encryption modes is available and if the countermeasure requiring a strict key exchange is supported. The scanner doesn’t perform a full-fledged handshake or carry out the attack.

Assessing the risk severity and patch urgency posed by the Terrapin vulnerability will vary from user to user and organization to organization. Anyone using AsyncSSH should patch right away. While the researchers didn’t focus much time on the dozens of other widely used SSH implementations, it’s entirely possible that some of them may also harbor currently undetected vulnerabilities that can be exploited using Terrapin.

Anyone who uses any app implementing SSH should check with the developer for guidance, including whether the app is affected by Terrapin and, if so, the conditions under which it is vulnerable to exploitation and whether a fix is available.