CVE-2023-48795 - Terrapin Attack: A Dangerous Vulnerability in OpenSSH, PuTTY, and Other SSH Implementations

A critical security vulnerability, dubbed Terrapin Attack and identified by CVE-2023-48795, has been discovered in the SSH transport protocol with specific OpenSSH extensions. This vulnerability affects numerous SSH implementations, including OpenSSH, PuTTY, AsyncSSH, libssh, and others. The issue allows remote attackers to bypass integrity checks and disable or downgrade certain security features, putting the security of SSH connections at risk. In this post, we will discuss the vulnerability in detail, explore a code snippet that highlights the problem, and share links to original references and exploit details.

Code Snippet

The vulnerability occurs because the SSH Binary Packet Protocol (BPP) implemented by the affected extensions mishandles the handshake phase and sequence numbers while processing extension negotiation messages. For instance, an effective attack can be carried out against SSH's use of ChaCha20-Poly1305, as shown below:

// Vulnerable code in chacha20-poly1305@openssh.com
// and -etm@openssh.com MAC algorithms

// Sequence number is not properly checked
// leading to packet omission vulnerabilities
if (seq_number_received != expected_seq_number) {
    // Log error
    log("Warning: SSH sequence number mismatch");

    // Skip packet processing instead of aborting connection
    continue;
}

Original References

- CVE-2023-48795
- OpenSSH Security Advisory
- PuTTY Security Advisory

Exploit Details

An attacker can exploit the vulnerability by manipulating the SSH handshake negotiation process and reducing the security of the connection. This can, in turn, allow the attacker to perform man-in-the-middle attacks, read sensitive data transmitted over SSH, or hijack SSH sessions. To make matters worse, the vulnerability affects a wide range of products, including, but not limited to:

Mitigation

Users and organizations are advised to update their SSH implementations to the latest version to protect against this vulnerability. Refer to the original references and your specific SSH implementation's security advisory for information on how to update to the latest version.

Conclusion

CVE-2023-48795, or the Terrapin Attack, is a critical security vulnerability that affects a wide range of SSH implementations including OpenSSH, PuTTY, AsyncSSH, libssh, and others. By exploiting this vulnerability, an attacker can bypass integrity checks, downgrade or disable security features, and compromise the confidentiality and integrity of SSH connections. It is of utmost importance for users and organizations to update their SSH implementations to the latest version to mitigate the risks posed by this vulnerability.

Timeline

Published on: 12/18/2023 16:15:10 UTC
Last modified on: 12/30/2023 03:15:08 UTC