CVE-2023-48795 - Understanding the Terrapin Attack — Breaking the Integrity of SSH Connections

*Posted in June 2024 by Security Research Exchange*

Introduction

If you’re using SSH to connect to servers, transfer files, or manage devices, you likely depend on its security. But recently, researchers discovered a serious flaw in SSH’s transport protocol—CVE-2023-48795, known as the Terrapin attack, which lets attackers silently degrade the security of your connection.

Let’s walk through how the Terrapin attack works, which SSH software is affected, and what you can do to stay safe.

What Is CVE-2023-48795?

CVE-2023-48795 is a vulnerability in the SSH protocol and several popular implementations (such as OpenSSH, PuTTY, Dropbear, libssh, and many more). The vulnerability lets a remote attacker bypass certain integrity checks, meaning they can strip out parts of the SSH handshake that negotiate security features. As a result, a client and server may think certain security features (like secure encryption or MACs) are enabled, when they’re actually not, or may get silently downgraded.

This is a protocol-level weakness, specifically in the SSH *Binary Packet Protocol* (BPP), which mishandles handshake packets and sequence numbers. This opens the door for “downgrade” attacks.

The most severe examples involve ChaCha20-Poly1305 and CBC + Encrypt-then-MAC (-etm) modes, but a large range of cryptographic algorithms and SSH libraries are affected.

Who Is Vulnerable?

A huge number of SSH clients and servers from different vendors are vulnerable if they don’t have the latest patches. Here are some notable affected products (not an exhaustive list):

WinSCP < 6.2.2

- Bitvise SSH Server/Client < 9.32/9.33

(And many more: SFTPGo, jsch, Netgate pfSense, Apache MINA sshd, etc.)

If you use SSH anywhere in your infrastructure, check your versions—most popular implementations are likely vulnerable.

Let’s break it down into simple terms.

1. SSH Handshake: When you connect, the client and server negotiate which encryption, MAC, and compression they will use. This is called the handshake. They exchange messages that say “I support X, what do you support?”
2. Vulnerable Extension: Some SSH extensions allow extra features (like OpenSSH’s “ext-info”). These use the Binary Packet Protocol (BPP).
3. Mishandling Packets: Due to this vulnerability, SSH servers and clients may not process handshake packets in the right order, or with the right sequence number, or may drop some handshake extension packets entirely.
4. Security Downgrade: A man-in-the-middle attacker can tamper with the handshake. The attacker can “splice out” parts of these negotiation packets, *convincing one or both sides that certain security features aren’t supported* (even when they are).
5. No Warning: There’s no integrity check over the whole handshake, so neither the client nor server realizes anything’s wrong.

Once this is done, encryption or MAC settings may be silently weakened. In the worst-case scenario, it could let attackers further manipulate the data stream, potentially leading to exposure of sensitive data.

Summary: The attacker can trick SSH clients/servers into missing or skipping negotiation packets, causing them to end up on weaker or even disabled security settings.

Technical Details and Code Example

Here’s a simplified step-by-step of how an attacker could exploit this, with some pseudo-code for understanding.

Normal negotiation

Client --> Server: KEXINIT (lists supported encryption/MAC)
Server --> Client: KEXINIT (lists its supported encryption/MAC)

Client --> Server: ext-info-c (extension negotiation)
Server --> Client: ext-info-s (extension negotiation)

Negotiate chosen method...

# Both have same view of options.

Man-in-the-middle "drops" ext-info messages:

while True:
    pkt = intercept_next_packet()
    if pkt.is_extension_negotiation():
        # DROP the packet, don't forward!
        continue
    forward_packet(pkt)

2. Both client and server think the other doesn’t support certain security extensions, resulting in connection with reduced or disabled security features (such as falling back to default, less secure encryptions or MACs).

Example of using Paramiko in Python
If using a vulnerable version (e.g., before 3.4.), here’s how a session looks—an attacker could drop certain handshake packets in transit:

import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('target.example.com', username='user', password='pass')

The attack happens *in the network*, not at the code level of Paramiko; but the vulnerable code is in how SSH libraries process the handshake, especially with extension packets.

For deeper technical walkthroughs and proof-of-concept code, see the official Terrapin attack site.

Bypass security features: They can force weaker encryption algorithms or MACs.

- Remove protections: For example, they might “strip” Encrypt-Then-MAC protection, making decryption or tampering easier.
- Stage further attacks: Combined with other vulnerabilities, this could lead to full session compromise or disclosure of sensitive information.

Impossible to Detect: There is NO warning, error, or log that would alert the victim.

The key point: Attackers can undermine the integrity of your SSH session without you knowing.

Immediate Steps

- Upgrade your SSH client and server to the latest version! Vendors have begun patching their products:

Paramiko 3.4.+ is safe.

- See full affected software list and patch status.

Longer-Term

- Avoid the vulnerable encryption/MACs: Avoid sessions using chacha20-poly1305@openssh.com or any CBC with Encrypt-then-MAC.

Sample OpenSSH server configuration to restrict ciphers

# /etc/ssh/sshd_config
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

References & Further Reading

- Official Terrapin Attack Disclosure
- CVE-2023-48795 entry at MITRE
- OpenSSH Release Notes 9.6
- FAQ for the Terrapin attacks
- List of Affected Software
- Technical Paper on Terrapin (PDF)


Summary:
CVE-2023-48795 is a major protocol flaw affecting most SSH software, allowing attackers to subtly downgrade the security of your SSH connections. The *Terrapin* attack is both silent and dangerous. Make sure you upgrade your SSH clients and servers immediately, and check your configurations to avoid risky ciphers.


*If you found this useful, share it with your IT team to help keep systems safe!*

Timeline

Published on: 12/18/2023 16:15:10 UTC
Last modified on: 12/30/2023 03:15:08 UTC