Skip to content

OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks

Dear OSG Security Contacts,

A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure in OpenSSH 9.5 against keystroke timing attacks.

IMPACTED VERSIONS:

Multiple versions of SSH, including AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others.

WHAT ARE THE VULNERABILITIES:

Although the attack is cryptographically innovative, its security impact is limited. It only allows the deletion of consecutive messages, and deleting most messages at this protocol stage prevents user authentication from proceeding, leading to a stalled connection. The most significant identified impact is that it enables a man in the middle to delete the SSH2_MSG_EXT_INFO message sent before authentication begins. This allows the attacker to disable a subset of keystroke timing obfuscation features. However, there is no other observable impact on session secrecy or session integrity.

WHAT YOU SHOULD DO:

Upgrade to secure packages as they become available.

REFERENCES

[1] Red Hat Errata https://access.redhat.com/security/cve/cve-2023-48795 [2] SSH vulnerability exploitable in Terrapin attacks (CVE-2023-48795) https://www.helpnetsecurity.com/2023/12/19/ssh-vulnerability-cve-2023-48795/ [3] OpenSSH package version https://www.openssh.com/txt/release-9.6 [4] LibSSH package version https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/ [5] ASyncSSH package version https://asyncssh.readthedocs.io/en/latest/changes.html#release-2-14-2-18-dec-2023 [6] PuTTY https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terrapin.html [7] Transmit https://help.panic.com/releasenotes/transmit5/#5104 [8] SUSE https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/v [9] Ubuntu https://ubuntu.com/security/notices/USN-6560-1

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team