Millions still haven’t patched Terrapin SSH protocol vulnerability

January 3, 2024:

Millions still haven’t patched Terrapin SSH protocol vulnerability

Getty Images

Roughly 11 million Internet-exposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks. Once they’re in, attackers compromise the integrity of SSH sessions that form the lynchpin for admins to securely connect to computers inside the cloud and other sensitive environments.

Terrapin, as the vulnerability has been named, came to light two weeks ago in a research paper published by academic researchers. Tracked as CVE-2023-48795, the attack the researchers devised works when attackers have an adversary-in-the-middle attack (also abbreviated as AitM and known as man-in-the-middle or MitM), such as when they’re positioned on the same local network and can secretly intercept communications and assume the identity of both the recipient and the sender.

In those instances, Terrapin allows attackers to alter or corrupt information transmitted in the SSH data stream during the handshake—the earliest connection stage, when the two parties negotiate the encryption parameters they will use to establish a secure connection. As such, Terrapin represents the first practical cryptographic attack targeting the integrity of the SSH protocol itself. It works by targeting BPP (Binary Packet Protocol), which is designed to ensure AitMs can’t add or drop messages exchanged during the handshake. This prefix truncation attack works when implementations support either the “ChaCha20-Poly1305” or “CBC with Encrypt-then-MAC,” cipher modes, which, at the time the paper was published, was found in 77 percent of SSH servers.

Internet-wide scans performed Tuesday, the last day such data was available at the time of reporting, revealed that more than 11 million IP addresses exposing an SSH server remained vulnerable to Terrapin. Nearly a third of those addresses, 3.3 million, resided in the US, followed by China, Russia, Germany, Russia and Singapore. All of the unpatched implementations tracked by Shadowserver supported the required cipher modes.

Tree map for CVE-2023-48795.
Enlarge / Tree map for CVE-2023-48795.
World map of countries unpatched against CVE-2023-48795.
Enlarge / World map of countries unpatched against CVE-2023-48795.

Shadowserver

Only 53 of the vulnerable instances relied on implementations of AsyncSSH, the only app currently known to be seriously affected by Terrapin. Two vulnerabilities the researchers discovered in AsyncSSH allowed Terrapin to (1) downgrade security extensions that organizations to replace the extension information message sent by the server, letting the attacker control its content or (2) control the remote end of an SSH client session by either injecting or removing packets or emulating the shell established. AsyncSSH has patched those two vulnerabilities, tracked as CVE-2023-46445 and CVE-2023-46446, in addition to CVE-2023-48795, the Terrapin vulnerability affecting the SSH protocol. It appears the overwhelming majority of AsyncSSH users have installed the patches.

The requirement of an AitM position and the lack of currently known practical attacks made possible by Terrapin are important mitigating factors that some critics say have been lost in some news coverage. That said, at this stage, there are few good reasons not to have patched the protocol flaw by now, since patches became widely available about one to two weeks ago.

“The attack requires quite a bit of complexity in that MitM is necessary, so that will limit practical application to more targeted attacks in our view,” Piotr Kijewski, a Shadowserer researcher, wrote in an email to Ars. “So unlikely to have this mass-exploited. Still, the sheer mass of vulnerable instances suggests this vulnerability will be with us for years to come and that in itself makes it attractive in some specific cases.”

While it’s unlikely that Terrapin will ever be mass-exploited, the potential remains for it to be used in targeted attacks by more sophisticated attackers, such as those backed by nation-states. Despite earlier versions of AsyncSSH being the only known application vulnerable to practical Terrapin attacks, the researchers spent little time analyzing other implementations. Adversaries with more time, resources, and motivation could identify other vulnerable implementations.

Kijewski listed the top 50 banners displayed by vulnerable IP addresses as:

  • serverid_software   count
  • openssh_7.4 2878009
  • openssh_7.6p1   956296
  • openssh_8.2p1   802582
  • openssh_8.0 758138
  • openssh_7.9p1   718727
  • openssh_8.4p1   594147
  • openssh_8.9p1   460595
  • openssh_7.2p2   391769
  • openssh_7.4p1   320805
  • openssh_8.5 316462
  • openssh_9.3 298626
  • openssh_8.7 219381
  • openssh_6.7p1   156758
  • openssh_9.2p1   141010
  • openssh_6.6.1p1 136489
  • openssh_9.0 112179
  • openssh_6.6.1   105423
  • dropbear_2020.80    93154
  • openssh_8.8 88284
  • openssh_7.5 76034
  • aws_sftp_1.1 75157
  • openssh_9.0p1   70305
  • openssh_8.2 59887
  • openssh_7.9 59301
  • dropbear    51374
  • openssh 35408
  • openssh_7.2 34494
  • openssh_7.8 33955
  • dropbear_2020.81    28189
  • openssh_9.5 27525
  • openssh_9.1 26748
  • openssh_8.1 23188
  • lancom  22267
  • openssh_6.4 18483
  • openssh_8.4 18158
  • openssh_8.9 17310
  • openssh_7.6 17235
  • openssh_for_windows_8.1 17150
  • openssh_for_windows_7.7 15603
  • openssh_8.6 14018
  • openssh_6.9 13601
  • openssh_9.4 12802
  • dropbear_2022.82    12605
  • dropbear_2022.83    12036
  • openssh_7.7 11645
  • openssh_for_windows_8.0 11089
  • openssh_7.3 10083
  • mod_sftp    9937
  • openssh_8.3p1   9163
  • cisco-1.25  8301

Patching Terrapin isn’t straightforward, because of the sheer number of implementations affected and the necessity that apps running on both the admin client and the server be patched. The researchers listed the following implementations as vulnerable and included links to patches when available. Asterisks indicate application developers contacted prior to the release of the research paper:

Implementation Affected Versions Patched Version(s)
AsyncSSH* 2.14.1 and earlier 2.14.2
Bitvise SSH* 9.31 and earlier 9.33
ConnectBot* 1.9.9 and earlier 1.9.10
CrushFTP 10.5.6 and earlier 10.6.0
CycloneSSH* 2.3.2 and earlier 2.3.4
Dropbear* 2022.83 and earlier To be released
Erlang/OTP SSH* OTP 26.2 and earlier
OTP 25.3.2.7 and earlier
OTP 24.3.4.14 and earlier
OTP 26.2.1
OTP 25.3.2.8
OTP 24.3.4.15
FileZilla Client 3.66.1 and earlier 3.66.4
Golang x/crypto/ssh* 0.16.0 and earlier 0.17.0
JSch (Fork)* 0.2.14 and earlier 0.2.15
libssh* 0.10.5 and earlier
0.9.7 and earlier
0.10.6
0.9.8
libssh2* 1.11.0 and earlier To be released
Maverick Legacy* 1.7.55 and earlier 1.7.56
Maverick Synergy* 3.0.21 and earlier (Hotfix)
3.0.10 and earlier (OSS)
3.0.22
3.1.0-SNAPSHOT
MobaXterm 23.5 and earlier 23.6
Nova 11.7 and earlier 11.8
OpenSSH* 9.5 / 9.5p1 and earlier 9.6 / 9.6p1
Paramiko* 3.3.1 and earlier 3.4.0
phpseclib 3.0.34 and earlier
2.0.45 and earlier
1.0.21 and earlier
3.0.35
2.0.46
1.0.22
PKIX-SSH* 14.3 and earlier 14.4
ProFTPD* 1.3.8a and earlier 1.3.8b
PuTTY* 0.79 and earlier 0.80
Russh* 0.40.1 and earlier 0.40.2
SecureCRT* 9.4.2 and earlier 9.4.3
SFTP Gateway 3.4.5 and earlier 3.4.6
SFTPGo 2.5.5 and earlier
2.4.5 and earlier
2.5.6
2.4.6
ssh2* 1.14.0 and earlier 1.15.0
sshj* 0.37.0 and earlier 0.38.0
Tera Term* 5.0 and earlier
4.107 and earlier
5.1
4.108
Thrussh* 0.34.0 and earlier 0.35.1
TinySSH 20230101 and earlier 20240101
Transmit 5.10.3 and earlier 5.10.4
Win32-OpenSSH* 9.4.0.0p1-Beta 9.5.0.0p1-Beta
WinSCP 6.1.2 and earlier 6.2.2 beta
XShell 7* Build 0142 and earlier Build 0144

As explained earlier, there’s little reason for mass alarm. Terrapin is no Citrix Bleed , CVE-2022-47966, MoveIT, CVE-2021-22986, or CVE-2023-49103, or CVE-2021-22986, which were some of the most exploited vulnerabilities of 2023 that led to the compromise of millions of servers. So far, there are no known reports of Terrapin patches causing side effects. Admins would do well to patch sooner rather than later.

Source link