A group of researchers from the Ruhr University in Bochum (Germany) presented a new MITM attack technique on SSH - Terrapin, which exploits a vulnerability (CVE-2023-48795) in the protocol. An attacker capable of organizing a MITM attack has the ability, during the connection negotiation process, to block the sending of a message by configuring protocol extensions to reduce the connection security level. A prototype of the attack toolkit has been published on GitHub.
In the context of OpenSSH, the vulnerability, for example, allows you to rollback the connection to use less secure authentication algorithms and disable protection against side-channel attacks that recreate input by analyzing the delays between keystrokes on the keyboard. In the Python library AsyncSSH, in combination with a vulnerability (CVE-2023-46446) in the implementation of the internal state machine, the Terrapin attack allows us to wedge ourselves into an SSH session.
The vulnerability affects all SSH implementations that support ChaCha20-Poly1305 or CBC mode ciphers in combination with ETM (Encrypt-then-MAC) mode. For example, similar capabilities have been available in OpenSSH for more than 10 years. The vulnerability is fixed in today's release of OpenSSH 9.6, as well as updates to PuTTY 0.80, libssh 0.10.6/0.9.8 and AsyncSSH 2.14.2. In Dropbear SSH, the fix has already been added to the code, but a new release has not yet been generated.
The vulnerability is caused by the fact that an attacker controlling the connection traffic (for example, the owner of a malicious wireless point) can adjust the packet sequence numbers during the connection negotiation process and achieve the silent deletion of an arbitrary number of SSH service messages sent by the client or server. Among other things, an attacker can delete SSH_MSG_EXT_INFO messages used to configure the protocol extensions used. To prevent the other party from detecting a packet loss due to a gap in the sequence numbers, the attacker initiates sending a dummy packet with the same sequence number as the remote packet to shift the sequence number. The dummy packet contains a message with the SSH_MSG_IGNORE flag, which is ignored during processing.
The attack cannot be carried out using stream ciphers and CTR, since the integrity violation will be detected at the application level. In practice, only the ChaCha20-Poly1305 cipher is susceptible to attack ([email protected]), in which the state is tracked only by message sequence numbers, and a combination from the Encrypt-Then-MAC mode (*[email protected]) and CBC ciphers.
In OpenSSH 9.6 and other implementations, an extension of the βstrict KEXβ protocol is implemented to block the attack, which is automatically enabled if there is support on the server and client sides. The extension terminates the connection upon receipt of any abnormal or unnecessary messages (for example, with the SSH_MSG_IGNORE or SSH2_MSG_DEBUG flag) received during the connection negotiation process, and also resets the MAC (Message Authentication Code) counter after the completion of each key exchange.
Source: opennet.ru