CVE CyberSecurity Database News

CVE-2024-41909 - Terrapin Attack Hits Apache MINA SSHD (with Exploit Example & Fixes)

Poster -

CVE-2024-41909 is a vulnerability that was discovered in Apache MINA SSHD, which is a popular Java SSH library. This vulnerability is very similar to the well-known CVE-2023-48795 “Terrapin” attack. In simple terms, it lets an attacker downgrade or turn off security options in an SSH connection by manipulating and dropping certain packets if they’re able to sit between your SSH client and server (a so-called "man-in-the-middle").

Let’s break this down so you can protect your servers and understand exactly what’s going on.

How Does the Terrapin Attack Work?

The heart of this attack is that SSH negotiates security settings between your SSH client and the server when a connection starts. An attacker who can intercept the traffic—think rogue Wi-Fi or a compromised router—can drop a few specific packets during this startup phase.

When this happens, both your client and server get confused. They may end up agreeing on weaker security settings (or no extra security at all) without warning you. This leaves your connection much less secure and makes it a juicy target for further attacks.

Vulnerable Apache MINA SSHD Versions:
Any version below 2.12. is affected.

Client starts SSH connection to the server.

3. During the negotiation, the attacker drops, delays, or reorders certain “extension negotiation” packets (such as SSH_MSG_EXT_INFO).
4. Because of the dropped packets, security features like strict key exchange, message authentication, or encryption upgrades are silently skipped or downgraded.

Client and server both *think* everything’s fine, but the session is opened with weaker security.

Example Python Exploit Snippet
(NOTE: For education only. Don’t attack networks that aren’t yours.)

Here’s an extremely simplified snippet showing how an attacker might drop SSH packets with scapy

from scapy.all import *

def pkt_callback(pkt):
    # Filter for SSH extension packets (fake example)
    if b'SSH_MSG_EXT_INFO' in bytes(pkt):
        # Drop the packet (don’t forward)
        print("Dropped SSH extension negotiation packet")
        return
    else:
        # Forward the rest
        send(pkt)

sniff(prn=pkt_callback, filter='tcp port 22', store=)

Result: The SSH connection proceeds, but some or all extra protections negotiated through extension packets never apply.

What Should You Do?

1. Upgrade!
Update your Apache MINA SSHD jars to at least 2.12.—this fixes the Terrapin attack.
Download: Apache MINA SSHD 2.12. release

2. Both Sides Need Fixing
It’s not enough to just update your server (or client). BOTH client and server must run fixed versions. Otherwise, the session can still be attacked.

3. Check for Mitigations
The fix works by requiring both sides of a connection to confirm support for “strict key exchange” features. If either side is missing mitigation, the session should be rejected—or at least NOT be considered secure.

If you use MINA SSHD and haven’t upgraded past 2.12., you’re almost certainly at risk.

- Look for logs or configs mentioning "extension negotiation" or "KEX", and double-check your dependency versions.
- Test your setup using security scanners or reliable scripts like those from Terrapin-attack.com.

References & Further Reading

- CVE-2023-48795 Advisory (terrapin-attack.com)
- Apache MINA SSHD Security Advisories
- Official Fix Commit
- Apache MINA SSHD Download Page

In Summary

CVE-2024-41909 is just one example of how even “secure” encryption protocols like SSH can be made weak if an attacker can fudge the handshake. Don’t wait: patch your servers and clients as soon as you can, and double-check you’re not running old Java SSHD jars in production!

If you want more technical details, source links, or advice on rolling out updates safely, check out the references above or join Apache’s security mailing lists.

Timeline

Published on: 08/12/2024 16:15:15 UTC
Last modified on: 08/30/2024 18:32:14 UTC