If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently, a group of scientists from the Ruhr University of Bochum, Germany, presented the details of a new MITM attack technique over SSH, which they have baptized as «Terrapin» and which they mention could allow an attacker to degrade the security of an SSH connection when using SSH extension negotiation. The impact in practice would largely depend on the supported extensions, but "almost all" are vulnerable.
Terrapin, exploits a vulnerability (already cataloged under CVE-2023-48795) which an attacker can take advantage to organize a MITM attack when using OpenSSH, the vulnerability allows you to revert the connection to use less secure authentication algorithms or disable protection against side-channel attacks that recreate input by analyzing delays between keystrokes on the keyboard.
"By carefully adjusting the sequence numbers during the handshake, an attacker can delete an arbitrary number of messages sent by the client or server at the beginning of the secure channel without the client or server noticing," the researchers mention.
Regarding vulnerability, it is mentioned that this affects all SSH implementations that support ChaCha20-Poly1305 or CBC mode ciphers in combination with ETM (Encrypt-then-MAC) mode. For example, similar capabilities have been available in OpenSSH for over 10 years.
“Most commonly, this affects the security of client authentication when using an RSA public key. When using OpenSSH 9.5, it can also be used to disable certain countermeasures to keystroke timing attacks,” the researchers write.
The vulnerability is due to the fact that an attacker who controls the connection traffic (e.g. the owner of a malicious wireless point) can adjust packet sequence numbers during the connection negotiation process and achieve silent deletion of an arbitrary number of SSH service messages sent by the client or server.
Among other things, an attacker could delete the SSH_MSG_EXT_INFO messages used to configure the extensions of protocol that are used. To prevent the other party from detecting a packet loss due to a gap in sequence numbers, the attacker initiates sending a dummy packet with the same sequence number as the remote packet to change the sequence number. The dummy packet contains a message with the SSH_MSG_IGNORE flag, which is ignored during processing.
To perform a Terrapin attack in practice, attackers require man-in-the-middle capabilities at the network layer to intercept and modify traffic. Additionally, specific encryption methods must be agreed upon to ensure secure transmission of data during the connection.
The attack cannot be carried out using stream ciphers and CTR, since the integrity violation will be detected at the application level. In practice, only ChaCha20-Poly1305 encryption is used in which the state is tracked solely by message sequence numbers, and a combination of Encrypt-Then-MAC mode (*-etm@openssh.com). ) and CBC ciphers are subject to attacks.
It is mentioned that was also detected in the Python AsyncSSH library, In combination with a vulnerability (CVE-2023-46446) in the internal state machine implementation, the Terrapin attack allows us to hack into an SSH session.
Vulnerability Fixed in OpenSSH version 9.6 and in this version of OpenSSH and other implementations, an extension of the “strict KEX” protocol is implemented to block the attack, which is automatically enabled if there is support on the server and client side. The extension terminates the connection upon receipt of any abnormal or unnecessary messages (for example, with the SSH_MSG_IGNORE or SSH2_MSG_DEBUG flag) received during the connection negotiation process, and also resets the MAC (Message Authentication Code) counter after completing each key exchange.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link.