Cybersecurity · · 2 min read

Exploring the Depths of the Terrapin Attack: A Comprehensive Guide

Exploring the Depths of the Terrapin Attack: A Comprehensive Guide

Welcome back, readers! As we step into 2024, it's time to dive into one of the most intriguing topics that concluded the previous year – the Terrapin Attack. This cybersecurity threat, revolving around the SSH (Secure Shell) protocol, has garnered significant attention, making it a must-discuss topic for our tech-savvy audience.

Understanding the Terrapin Attack

The Flaw at Its Core

The Terrapin Attack targets the SSH protocol by truncating cryptographic information during the SSH handshake. This vulnerability lies in the SSH protocol itself, affecting a wide range of SSH client and server implementations, including popular ones like OpenSSH, PuTTY, and FileZilla​​.

How It Compromises Security

There are two primary ways the Terrapin Attack affects SSH connections:

  1. Signature Downgrade Attacks: These compromise the security of an SSH connection, potentially allowing unauthorized access or data interception.
  2. Specific Impact on OpenSSH: In versions newer than 9.5, this attack can bypass keystroke timing obfuscation features. This vulnerability could allow attackers to brute-force SSH passwords by analyzing SSH network packets​​.

Mechanism of the Attack

A Novel Man-in-the-Middle Approach

The Terrapin Attack employs a man-in-the-middle (MitM) strategy to deceive the SSH client into believing that the server doesn't support recent signature algorithms. This leads to a fallback on less secure protocols, significantly reducing the security of the connection​​.

Manipulation of the SSH Handshake

The attack involves the strategic manipulation of SSH handshake messages. By truncating the EXT_INFO message, the attacker can force the use of weaker hashing algorithms like SHA-1, known to be vulnerable to various attacks​​. Additionally, attackers can inject packets to manipulate sequence numbers, avoiding detection​​.

Remediation Measures

OpenSSH's Response to CVE-2023-48795

OpenSSH addressed this vulnerability by implementing a new "strict KEX" protocol and resetting sequence numbers to zero after sending or receiving SSH2_MSG_NEWKEYS messages. These fixes were released in OpenSSH version 9.6p1​​.

Mitigation Steps for Users

Users can mitigate this vulnerability by adjusting their SSH configurations. For OpenSSH, this involves disabling the vulnerable ChaCha20-Poly1305 cipher and ensuring that no vulnerable aes(128|192|256)-cbc ciphers are enabled. Paramiko users should also disable these ciphers and any EtM MACs​​.

Utilizing the Terrapin Vulnerability Scanner

A Tool for Detection

To aid in identifying vulnerable systems, the Terrapin researchers developed a vulnerability scanner. This Go-based tool assesses the susceptibility of SSH clients and servers to the Terrapin Attack by checking supported algorithms and known countermeasures​​.

How to Use the Scanner

Users can either download pre-compiled binaries or build the tool themselves using Go v1.18. The scanner offers various commands to test SSH servers and clients, with results available in JSON format for easy interpretation​​.

Conclusion

As we embark on the journey of 2024, the discovery of the Terrapin attack underscores the importance of staying abreast of cybersecurity developments. It reminds us that the digital world is akin to a vast ocean, constantly ebbing and flowing with new challenges and threats. Our role, as users and administrators, is to navigate these waters with informed caution, adopting the necessary measures to safeguard our digital assets.

Let this be the year we fortify our digital shores against the tides of cyber threats, ensuring a safer and more secure digital experience for all. Happy New Year, and here's to a year of digital resilience and proactive cybersecurity!

Read next