In a recent revelation, a new vulnerability named Terrapin (CVE-2023-48795) has been identified in the Secure Shell (SSH) cryptographic network protocol. This vulnerability poses a serious threat to the integrity of SSH connections, impacting both clients and servers.
SSH is a cryptographic network protocol designed to establish a secure and encrypted connection between two systems. Key Applications of SSH are Remote Login, Secure File Transfer, Tunneling and Port Forwarding.
Terrapin in Action: How It Works
Terrapin works by carefully adjusting sequence numbers during the handshake, allowing an attacker to remove messages from the client or server at the beginning of the secure channel without detection. The truncation can lead to the use of less secure client authentication algorithms and the deactivation of specific countermeasures against keystroke timing attacks.
The Terrapin Attack (CVE-2023-48795): Decrypting the Threat
Terrapin is a prefix truncation attack that manipulates sequence numbers during the handshake process. It compromises on the integrity of SSH channels, particularly when using encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC. The attack allows threat actors to downgrade public key algorithms for user authentication, disabling defenses against keystroke timing attacks in Open SSH 9.5.
A key prerequisite for Terrapin attack(CVE-2023-48795) is the need for attackers to be in adversary-in-the-middle(AitM) position, intercepting and modifying handshake exchange. A recent report by security threat monitoring platform Shadowserver indicates that almost 11 million SSH servers on the public web, constituting roughly 52% of all scanned samples, are vulnerable to Terrapin attacks.
Global Impact and Vulnerability Distribution
The significance of Shadowserver’s report is underscored by the widespread impact of Terrapin attacks. Most vulnerable systems were identified in the United States(3.3 million), followed by China(1.3 million), Germany(1 million), Russia(700,000), Singapore(390,000), and Japan(380,000).
Defensive Measures and Recommendations
To execute a Terrapin attack (CVE-2023-48795), threat actors need to perform a man-in-the-middle attack at the network layer, securing the connection with ChaCha20-Poly1305 or CBC with Encrypt-then-MAC. It’s recommended to use vulnerability scanners like SanerNow to identify susceptible servers and clients. Additionally, applying updates to both clients and servers, is crucial to mitigate the effects of the Terrapin vulnerability.
SanerNow Vulnerability Management, Risk Prioritization, and Patch Management detect and automatically fix vulnerabilities with risk-based remediation. With SanerNow, you can keep your systems updated and secure.