CybserSecurity News

Tag: Terrapin attack

  • Terrapin’s Threat: 11 Million SSH Servers at Risk of Data Manipulation

    Researchers have calculated that nearly 11 million SSH servers on the internet are vulnerable to Terrapin attacks, which allow data manipulation during the handshake process, ultimately compromising the integrity of the SSH channel when using certain widely used encryption modes.

    In December last year, experts from the Ruhr University in Bochum discussed the Terrapin issues. The attack described by the specialists enables the deletion or alteration of messages transmitted within the communication channel, leading to a downgrade in the level of public key algorithms used for user authentication, or to a complete disabling of protection against timing attacks based on keystroke timing analysis in OpenSSH 9.5. As a result, Terrapin diminishes the security of the connection by manipulating negotiation messages in such a way that neither the client nor the server notices.

    For the interception and modification of the handshake, the attacker must pre-occupy a network position akin to a man-in-the-middle (MiTM), and the connection must be secured either through ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.

    Analysts at Shadowserver have now warned that approximately 11 million SSH servers (by the count of unique IP addresses) in the network are vulnerable to Terrapin attacks.

    Thus, about 52% of all scanned samples in the IPv4 and IPv6 spaces are vulnerable. The most vulnerable systems were identified in the USA (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000).

    Although not all of the 11 million vulnerable servers are at immediate risk of attack, the Shadowserver report vividly demonstrates that malefactors have a wide range of targets to choose from.

    The researchers remind that a scanner for detecting Terrapin vulnerabilities is published on GitHub, allowing administrators to determine if their SSH client or server is vulnerable to this attack.

  • The Terrapin Attack: A New Cybersecurity Threat to SSH Protocols

    In the ever-evolving landscape of cybersecurity, a new threat has emerged, known as the Terrapin attack. This sophisticated cyber assault targets the SSH (Secure Shell) protocol, a widely used standard for secure network services like remote terminal login and file transfer. The Terrapin attack exploits a vulnerability in SSH’s sequence number handling during the handshake process, allowing attackers to disrupt the integrity of SSH’s secure channel.

    What makes the Terrapin attack uniquely alarming is its ability to manipulate sequence numbers to remove messages sent by the client or server at the beginning of the secure channel, without detection. This vulnerability can be exploited in real-world scenarios, downgrading the connection’s security and potentially leading to the use of less secure client authentication algorithms.

    These are 3 CVE numbers for this new attack:

    • CVE-2023-48795: General Protocol Flaw
    • CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
    • CVE-2023-46446: Rogue Session Attack in AsyncSSH

    The discovery of the Terrapin attack was made by a team of security researchers from Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk. Their findings revealed that this attack could enable the exploitation of implementation flaws, particularly in AsyncSSH servers. These flaws could allow an attacker to sign a victim into another account without detection, paving the way for potent phishing attacks and granting Man-in-the-Middle capabilities within encrypted sessions.

    Performing the Terrapin attack requires Man-in-the-Middle capabilities at the network layer, enabling attackers to intercept and modify traffic. Additionally, the connection must be secured by specific encryption modes, which are widely adopted, making most real-world SSH sessions vulnerable.

    In response to this threat, researchers have developed a simple console application written in Go, available on GitHub. This tool helps determine the vulnerability of SSH servers or clients to the Terrapin attack. Despite its severity, the attack is not an immediate threat to all systems, as it requires specific conditions to be met, including the interception and modification of TCP/IP traffic and the use of certain encryption modes.

    The implications of the Terrapin attack are significant, particularly in terms of security downgrades during SSH extension negotiations. This could affect client authentication security, especially when using RSA public keys, and in some cases, may deactivate countermeasures against keystroke timing attacks in OpenSSH 9.5.

    The Terrapin attack has been acknowledged by multiple vendors, leading to updates in SSH implementations to support an optional strict key exchange. This measure, while effective, requires support from both client and server to be effective.