By: Craig Kennedy
Terrapin: A New Vulnerability Impacting SSH
On December 18th, 2023, researchers at Ruhr University in Germany revealed a vulnerability in the widely used SSH cryptographic network protocol.
The vulnerability has been code-named Terrapin and has been assigned CVE-2023-48795 in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).
Understanding the Terrapin Vulnerability
The Terrapin vulnerability is a security vulnerability that impacts the SSH protocol by allowing remote attackers to bypass integrity checks during initial handshake negotiations. This inherent defect influences a broad spectrum of SSH client and server implementations, including OpenSSH, Apache, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, as well as many others.
This vulnerability affects windows, Macs, and Linux systems and is estimated to impact over 10 million systems that are openly accessible on the internet. When including the number of systems that are not exposed to the internet, this number grows by many orders of magnitude.
Evaluating the Risk
The Terrapin attack enables a man-in-the-middle (MitM) assailant to shorten crucial parts of the SSH handshake, without terminating the SSH connection, thereby creating a security hole between the SSH client and server. The vulnerability could lead to the compromise of information or circumvention of critical security controls.
The Terrapin attack is the first known attack in a new family of attacks targeting cryptographic network protocols. The NVD has assigned it a base score of 5.9, indicating a medium level of severity, but due to the vast number of systems and services impacted, it warrants immediate action.
Considering the recent tactics by cybercriminals to infiltrate systems and then lie in wait for opportunities, this vulnerability is very concerning. Every system should be considered at risk and evaluated.
Detecting Vulnerability
If your SSH implementations support (and are configured to offer) the chacha20-poly1305@openssh.com encryption algorithm, or any encryption algorithm suffixed -cbc in combination with any MAC algorithm suffixed -etm@openssh.com, then you are vulnerable to Terrapin. It’s important to note that updating just the server or client is not sufficient, both must be patched for the ssh connection to be secure. A vulnerable client connecting to a patched server will still result in a vulnerable connection.
Patches Being Made Available
Similar to the Log4j/Log4Shell vulnerability, Terrapin impacts a vast number of applications and is not just resolved with an O/S patch. As we’ve reported, patches for the Log4Shell vulnerability have been available for over two years and yet as many as one in three applications have yet to be patched and the vulnerability is still actively being exploited.
Some vendors have already made patches available for affected ssh implementations, applications, and Linux distros including AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others.
Disable Vulnerable Encryption Algorithms
It is highly recommended to apply patches as soon as they are made available from the respective vendors. In the meantime, you can avoid this vulnerability by disabling chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client) and use unaffected algorithms like AES-GCM instead.
Bottom Line
While the Terrapin vulnerability poses a significant threat to SSH connections, it can be mitigated with prompt patching and by adhering to transport layer security best practices. Take the time to apply patches as soon as they are made available and put processes in place to ensure that all applications impacted by this vulnerability are patched as soon as patches are made available.
Get Ready for 2024 with Aragon’s 2024 Q1 Research Agenda!
Wednesday, January 17th, 2024 at 10 AM PT | 1 PM ET
Aragon Research’s 2024 Q1 Research Agenda
Aragon Research provides the strategic insights and advice you need to help your business navigate disruption and outperform your goals. Our research is designed to help you understand the technologies that will impact your business–using a number of trusted research methodologies that have been proven to help organizations like yours get to business outcomes faster.
On Wednesday, January 17th, 2024, join Aragon Research CEO and Lead Analyst, Jim Lundy for a complimentary webinar as they walk you through Aragon’s Q1 2024 research agenda.
This webinar will cover:
- Aragon’s coverage areas, analysts, and services
- Research offered by Aragon, including Visual Research
- The research agenda for Q1 2024
- Sneak peek at what’s coming in Q2 2024
