Terrapin Nibbles at the Security of SSH Connections, If An Attacker Can Sit in the Middle

Researchers from the Ruhr University Bochum have warned of a vulnerability in the Secure Shell (SSH) protocol — allowing for a man-in-the-middle (MITM) attack, dubbed Terrapin, which can allow attackers to downgrade a connection's security or to allow exploitation of other flaws in specific SSH implementations.

"Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel," the researchers write of their discovery. "By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it."

SSH replaced the insecure Telnet protocol as a common way to open a shell, either interactive or for machine-to-machine communication, between two systems on a network. As well as allowing for remote administration of servers, SSH is commonly used to provide secure access to network equipment and Internet of Things (IoT) devices — which makes any vulnerability in the protocol serious indeed.

To exploit Terrapin, an attacker has to be able to sit in between a target SSH server and its client — performing a man-in-the-middle attack. If the connection then uses either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC modes — which, the researchers claim, around 77 percent of accessible SSH servers found on a scan of the internet use — the attack can be carried out.

When subjected to a successful Terrapin attack, the connection between client and server is downgraded to use weaker authentication — while protections against other known vulnerabilities, such as keystroke timing attacks, can be disabled. The researchers also found it possible to use Terrapin to attack other known vulnerabilities in specific SSH server implementations: "For example," they write, "we found several weaknesses in the AsyncSSH servers' state machine, allowing an attacker to sign a victim's client into another account without the victim noticing."

While the flaw is serious, the team cautions against panic. "Should I drop everything and fix this? Probably not," the researchers say. "If you feel uncomfortable waiting for your SSH implementation to provide a patch, you can workaround this vulnerability by temporarily disabling the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead."

Full details of the attack are available on the Terrapin website, along with a link to the team's preprint paper detailing the flaw; a vulnerability scanner has been released on GitHub under the permissive Apache 2.0 license for those who want to verify the vulnerability on their own systems.