Terrapin: A New Vulnerability Impacting SSH

January 4, 2024

Terrapin: A New Vulnerability Impacting SSH

By: Craig Kennedy

Terrapin: A New Vulnerability Impacting SSH

 

Terrapin: A New Vulnerability Impacting SSH

On December 18th, 2023, researchers at Ruhr University in Germany revealed a vulnerability in the widely used SSH cryptographic network protocol.

The vulnerability has been code-named Terrapin and has been assigned CVE-2023-48795 in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).

Understanding the Terrapin Vulnerability

The Terrapin vulnerability is a security vulnerability that impacts the SSH protocol by allowing remote attackers to bypass integrity checks during initial handshake negotiations. This inherent defect influences a broad spectrum of SSH client and server implementations, including OpenSSH, Apache, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, as well as many others.

This vulnerability affects windows, Macs, and Linux systems and is estimated to impact over 10 million systems that are openly accessible on the internet. When including the number of systems that are not exposed to the internet, this number grows by many orders of magnitude.

Evaluating the Risk

The Terrapin attack enables a man-in-the-middle (MitM) assailant to shorten crucial parts of the SSH handshake, without terminating the SSH connection, thereby creating a security hole between the SSH client and server. The vulnerability could lead to the compromise of information or circumvention of critical security controls.

The Terrapin attack is the first known attack in a new family of attacks targeting cryptographic network protocols. The NVD has assigned it a base score of 5.9, indicating a medium level of severity, but due to the vast number of systems and services impacted, it warrants immediate action.

Considering the recent tactics by cybercriminals to infiltrate systems and then lie in wait for opportunities, this vulnerability is very concerning. Every system should be considered at risk and evaluated.

Detecting Vulnerability

If your SSH implementations support (and are configured to offer) the chacha20-poly1305@openssh.com encryption algorithm, or any encryption algorithm suffixed -cbc in combination with any MAC algorithm suffixed -etm@openssh.com, then you are vulnerable to Terrapin. It’s important to note that updating just the server or client is not sufficient, both must be patched for the ssh connection to be secure. A vulnerable client connecting to a patched server will still result in a vulnerable connection.

Patches Being Made Available

Similar to the Log4j/Log4Shell vulnerability, Terrapin impacts a vast number of applications and is not just resolved with an O/S patch. As we’ve reported, patches for the Log4Shell vulnerability have been available for over two years and yet as many as one in three applications have yet to be patched and the vulnerability is still actively being exploited.

Some vendors have already made patches available for affected ssh implementations, applications, and Linux distros including AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others.

Disable Vulnerable Encryption Algorithms

It is highly recommended to apply patches as soon as they are made available from the respective vendors. In the meantime, you can avoid this vulnerability by disabling chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client) and use unaffected algorithms like AES-GCM instead.

Bottom Line

While the Terrapin vulnerability poses a significant threat to SSH connections, it can be mitigated with prompt patching and by adhering to transport layer security best practices. Take the time to apply patches as soon as they are made available and put processes in place to ensure that all applications impacted by this vulnerability are patched as soon as patches are made available.

Get Ready for 2024 with Aragon’s 2024 Q1 Research Agenda!

Wednesday, January 17th, 2024 at 10 AM PT | 1 PM ET

Aragon Research's 2024 Q1 Agenda

 

Aragon Research’s 2024 Q1 Research Agenda

Aragon Research provides the strategic insights and advice you need to help your business navigate disruption and outperform your goals. Our research is designed to help you understand the technologies that will impact your business–using a number of trusted research methodologies that have been proven to help organizations like yours get to business outcomes faster.

On Wednesday, January 17th, 2024, join Aragon Research CEO and Lead Analyst, Jim Lundy for a complimentary webinar as they walk you through Aragon’s Q1 2024 research agenda.

This webinar will cover:

  • Aragon’s coverage areas, analysts, and services
  • Research offered by Aragon, including Visual Research
  • The research agenda for Q1 2024
  • Sneak peek at what’s coming in Q2 2024

Register Here

Blog Banners 21

Blog 30: Intel Partners to Enter the Generative AI Race—Aurora genAI

Blog 31: Charlotte AI – CrowdStrike Enters the Generative AI Cybersecurity Race

Blog 32: NICE Catches the Generative AI Wave

Blog 33: AMD Instinct MI300X—A New Challenger to Nvidia

Blog 34: Storm-0558—Chinese Cyber Attack on US Government Organizations

Blog 35: Network Resilience Coalition—Making the Network Safer

Blog 36: Frontier Model Forum—Power Players Unite to Make AI Safer

Blog 37: Intel Is Back in the Foundry Business—Entering the Angstrom Era

Blog 38: Check Point Acquires Perimeter 81—Securing Remote Access

Blog 39: PSA—Akira Ransomware Targeting Cisco VPNs

Blog 40: Volt Typhoon: A Chinese Cyberwar Threat to Critical US Infrastructure

ABOUT

Have a Comment on this?

Your email address will not be published. Required fields are marked *