• Terrapin is an attack that manipulates data during a handshake, ultimately compromising the integrity of the SSH channel using a number of commonly used encryption modes.
• The attack allows you to delete or change messages transmitted within the communication channel, which leads to a downgrade of the level of public key algorithms used to authenticate users, or to a complete disabling of protection against timing attacks based on the analysis of keystroke times in OpenSSH 9.5. As a result, Terrapin reduces the security of the connection by manipulating negotiation messages in such a way that the client or server does not notice it.
• The vulnerabilities associated with this attack have the following IDs:
– CVE-2023-48795, a general protocol-level SSH vulnerability;
– CVE-2023-46445 and CVE-2023-46446, issues specific to the AsyncSSH SSH client, which is downloaded by about 60,000 users daily.
• To intercept and modify a handshake, the attacker must first take a man-in-the-middle (MiTM) position on the network, and the connection must be secured either by ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.
➡ A more detailed description of the implementation can be found here: https://terrapin-attack.com
• It’s worth noting that GitHub has a Terrapin vulnerability scanner that can help admins determine if their SSH client or server is vulnerable to this attack: https://github.com/RUB-NDS/Terrapin-Scanner
• As for the numbers, analysts from Shadowserver have published interesting information that there are about 11 million SSH servers on the network (based on the number of unique IP addresses) that are vulnerable to Terrapin attacks.
• Thus, approximately 52% of all scanned samples in the IPv4 and IPv6 spaces are vulnerable. The most vulnerable systems were identified in the United States (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000) and Japan (380,000).
• While not all of the 11 million vulnerable servers are at immediate risk of attack, Shadowserver’s information clearly demonstrates that attackers have plenty to choose from.
#Новости #Разное #SSH
