Nearly 11 Million SSH Servers Vulnerable to New Terrapin Attacks

Cyber Threat Summary:
Shadowservers has released new vulnerability metrics surrounding the recently discovered Terrapin vulnerabilities that threaten the integrity of some SSH connections. The Terrapin flaws target the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.

Specifically, the Terrapin flaw can be used to manipulate the sequence numbers supplied during the handshake process to compromise the integrity of the SSH channel, particularly when specific encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC are used. An attacker could thus downgrade the public key algorithms for user authentication and disable defenses against keystroke timing attacks in OpenSSH 9.5.

Shadowserver warns that there are nearly 11 million SSH servers on the public web - identified by unique IP addresses, that are vulnerable to Terrapin attacks. This constitutes roughly 52% of all scanned samples in the IPv4 and IPv6 space monitored by Shadowserver.

Most of the vulnerable systems were identified in the United States (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000).

Security Officer Comments:
While the issue is severe, it does require attackers to obtain an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange. This requirement will lessen the overall risk to most organizations. Sophisticated threat actors who acquire AitM access may wait for the right moment to progress their attack.

While not all of these servers will be attacked, the relevance of Shadowservers metrics is to highlight the widespread impacts this vulnerability might have. While not all 11 million instances are at immediate risk of being attacked, it shows that adversaries have a large pool to choose from.

Suggested Correction(s):
If you want to check an SSH client or server for its susceptibility to Terrapin, the Ruhr University Bochum team provides a vulnerability scanner.