Terrapin attack

{{Short description|Cryptographic attack on the ssh protocol}}

{{Infobox bug

| name = Terrapin attack

| image = File:Terrapin-square.png

| caption = Logo for the Terrapin attack

| CVE ={{CVE|2023-48795}}

| discovered = {{Start date and age|2023|12|19|df=yes}}

| patched =

| discoverer = Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk (Ruhr University Bochum)

| affected software = implementations of the Secure Shell (SSH) protocol including OpenSSH

| website = https://terrapin-attack.com/

}}

The Terrapin attack is a cryptographic attack on the commonly used SSH protocol that is used for secure command-and-control throughout the Internet. The Terrapin attack can reduce the security of SSH by using a downgrade attack via man-in-the-middle interception.{{Cite web |last=Goodin |first=Dan |date=2023-12-19 |title=SSH protects the world's most sensitive networks. It just got a lot weaker |url=https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ |access-date=2023-12-20 |website=Ars Technica |language=en-us}}{{Citation |last1=Bäumer |first1=Fabian |title=Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation |date=2023-12-19 |last2=Brinkmann |first2=Marcus |last3=Schwenk |first3=Jörg|arxiv=2312.12422 }}{{Cite web |title=Terrapin attacks can downgrade security of OpenSSH connections |url=https://www.bleepingcomputer.com/news/security/terrapin-attacks-can-downgrade-security-of-openssh-connections/ |access-date=2023-12-20 |website=BleepingComputer |language=en-us}} The attack works by prefix truncation; the injection and deletion of messages during feature negotiation, manipulating sequence numbers in a way that causes other messages to be ignored without an error being detected by either client or server.

According to the attack's discoverers, the majority of SSH implementations were vulnerable at the time of the discovery of the attack (2023).{{Cite web |last=Jones |first=Connor |title=SSH shaken, not stirred by Terrapin downgrade vulnerability |url=https://www.theregister.com/2023/12/20/terrapin_attack_ssh/ |access-date=2023-12-20 |website=www.theregister.com |language=en}} As of January 3, 2024, an estimated 11 million publicly accessible SSH servers are still vulnerable.{{Cite web |title=Nearly 11 million SSH servers vulnerable to new Terrapin attacks |url=https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/ |access-date=2024-01-07 |website=BleepingComputer |language=en-us}} However, the risk is mitigated by the requirement to intercept a genuine SSH session, and that the attack can only delete messages at the start of a negotiation, fortuitously resulting mostly in failed connections.{{Cite web |date=2023-12-18 |title=OpenSSH 9.6 release notes |url=https://www.openssh.com/txt/release-9.6 |website=openssh.com}} Additionally the attack requires the use of either ChaCha20-Poly1305 or a CBC cipher in combination with Encrypt-then-MAC modes of encryption.{{Cite web |title=Terrapin Attack |url=https://terrapin-attack.com/ |access-date=2024-01-07 |website=terrapin-attack.com}} The SSH developers have stated that the major impact of the attack is the capability to degrade the keystroke timing obfuscation features of SSH.

The designers of SSH have implemented a fix for the Terrapin attack, but the fix is only fully effective when both client and server implementations have been upgraded to support it. The researchers who discovered the attack have also created a vulnerability scanner to determine whether an SSH server or client is vulnerable.{{Cite web |title=Release v1.1.0 · RUB-NDS/Terrapin-Scanner |url=https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.0 |access-date=2024-01-07 |website=GitHub |language=en}}

The attack has been given the CVE ID CVE-2023-48795.{{Cite web |title=CVE-2023-48795 |url=https://www.cve.org/CVERecord?id=CVE-2023-48795 |access-date=2024-01-16 |website=cve.org |language=en}} In addition to the main attack, two other vulnerabilities were found in AsyncSSH, and assigned the CVE IDs CVE-2023-46445 and CVE-2023-46446.