-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
325 lines (270 loc) · 17.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="author" content="Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk">
<meta name="keywords" content="Terrapin attack, SSH vulnerability, SSH protocol, Security breach, Integrity, Network security, Prefix truncation attack, Cyber Security Research">
<link rel="apple-touch-icon" sizes="180x180" href="media/img/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="media/img/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="media/img/favicon-16x16.png">
<link rel="manifest" href="media/img/site.webmanifest">
<meta name="theme-color" content="#ffffff">
<title>Terrapin Attack</title>
<link href="media/css/style.css" rel="stylesheet" type="text/css">
<script async src="https://analytics.terrapin-attack.com/script.js" data-website-id="3972bcd7-1b3f-469b-b999-ce55441b27ae"></script>
</head>
<body>
<header id="top">
<h1>Terrapin Attack</h1>
<div class="logo"></div>
</header>
<section id="intro">
<ul class="toc">
<li><a href="#paper">Paper</a>
<li><a href="#scanner">Vulnerability Scanner</a></li>
<li><a href="#question-answer">Q&A</a></li>
<li><a href="patches.html">Patches</a></li>
</ul>
</section>
<section>
<h2>News</h2>
<p>
<ul>
<li>The accepted paper including the artifact appendix is now available.</li>
<li>The Terrapin Attack will be presented at <a href="https://rwc.iacr.org/2024/program.php">Real World Crypto Symposium 2024</a>,
<a href="https://www.blackhat.com/us-24/briefings/schedule/index.html#terrapin-attack-breaking-ssh-channel-integrity-by-sequence-number-manipulation-40179">Black Hat USA 2024</a>,
and <a href="https://www.usenix.org/conference/usenixsecurity24">USENIX Security Symposium 2024</a>.</li>
<li>We compiled a comprehensive <a href="patches.html">list of SSH implementations</a> adopting the "strict kex" countermeasure by OpenSSH.</li>
<li>Recommended Articles:
<a href="https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack">Ars Technica</a> (Dan Goodin),
<a href="https://www.theregister.com/2023/12/20/terrapin_attack_ssh">The Register</a> (Connor Jones)</li>
</ul>
</p>
<hr>
<h2>Introduction</h2>
<p>SSH is an internet standard that provides secure access to network services,
particularly remote terminal login and file transfer within organizational networks
and to over 15 million servers on the open internet.</p>
<p><i>Terrapin</i> is a prefix truncation attack targeting the SSH protocol. More precisely,
Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting
the sequence numbers during the handshake, an attacker can remove an arbitrary amount
of messages sent by the client or server at the beginning of the secure channel without
the client or server noticing it.</p>
<p>The attack can be performed in practice, allowing an attacker to downgrade the connection's
security by truncating the extension negotiation message (RFC8308) from the transcript.
The truncation can lead to using less secure client authentication algorithms and deactivating
specific countermeasures against keystroke timing attacks in OpenSSH 9.5.</p>
<p>We also showed that Terrapin can be used to enable the exploitation of implementation flaws.
For example, we found several weaknesses in the AsyncSSH servers' state machine, allowing an
attacker to sign a victim's client into another account without the victim noticing. Hence,
it will enable strong phishing attacks and may grant the attacker Man-in-the-Middle (MitM)
capabilities within the encrypted session.</p>
<p>To perform the Terrapin attack in practice, we require MitM capabilities at the network layer
(the attacker must be able to intercept and modify the connection's traffic). Additionally,
the connection must be secured by either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.
However, our scan indicates an extensive adoption of these encryption modes; therefore,
Terrapin applies to most real-world SSH sessions.</p>
<hr>
<h2>Attack Overview</h2>
<img src="media/img/terrapin-attack.png">
<p>The image shows a practical application of the Terrapin attack. The attacker can
drop the EXT_INFO message, used for negotiating several protocol extensions, without
the client or server noticing it. Usually, packet deletion would be detected by
the client when receiving the next binary packet sent by the server, as sequence numbers
would mismatch. To avoid this, an attacker injects an ignored packet during the handshake
to offset the sequence numbers accordingly.
</p>
<hr>
<h2 id="paper">Full Technical Paper</h2>
<p><a href="TerrapinAttack.pdf">Terrapin Attack: Breaking SSH Channel Integrity
By Sequence Number Manipulation</a>, Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk.
</p>
<p>Also available on the <a href="https://www.usenix.org/conference/usenixsecurity24/presentation/b%C3%A4umer">USENIX Security '24 website</a>
and <a href="https://arxiv.org/abs/2312.12422">arXiv</a>. The artifacts are available on
<a href="https://github.com/RUB-NDS/Terrapin-Artifacts/">GitHub</a>.</p>
<hr>
<h2 id="scanner">Vulnerability Scanner</h2>
<p>We provide a simple console application, written in Go, which can be used to determine
whether an SSH server or client is vulnerable to the Terrapin attack. The scanner
connects to your SSH server (or listens for an incoming client connection)
to detect whether vulnerable encryption modes are offered and if the strict key exchange
countermeasure is supported. It does not perform a fully-fledged handshake, nor does it
actually perform the attack.</p>
<p>Pre-built binaries for all major platforms and the source code are available on
<a href="https://github.com/RUB-NDS/Terrapin-Scanner/releases/latest">GitHub</a>.</p>
<hr>
<h2 id="question-answer">FAQ</h2>
<h3>I am an admin, should I drop everything and fix this?</h3>
<p>Probably not.</p>
<p>The attack requires an active Man-in-the-Middle attacker that can intercept and
modify the connection's traffic at the TCP/IP layer. Additionally,
we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher
in combination with Encrypt-then-MAC as the connection's encryption mode.
</p>
<p>If you feel uncomfortable waiting for your SSH implementation to provide a patch,
you can workaround this vulnerability by temporarily disabling the affected
chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration
of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.
</p>
<p>Fair word of warning: If configured improperly or your client does not support these algorithms,
you may lose access to your server. Also, some (very) old versions of OpenSSH (6.2 and 6.3)
are vulnerable to a <a href="https://www.openssh.com/txt/gcmrekey.adv">buffer overflow when using AES-GCM</a>.</p>
<h3>What can the attackers gain?</h3>
<p>Within the paper we describe an extension downgrade attack,
allowing an attacker to downgrade the security of an SSH connection
when using SSH extension negotiation. The impact in practice heavily
depends on the supported extensions. Most commonly, this will impact
the security of client authentication when using an RSA public key.
When using OpenSSH 9.5, it may also be used to deactivate certain
countermeasures to keystroke timing attacks.</p>
<p>We also showed that the Terrapin attack can be used to enable
certain attacks that exploit additional implementation flaws. For example,
we used flaws in the internal state machine of AsyncSSH in combination
with our attack to obtain a MitM position at the session layer.
</p>
<p>However, the potential consequences of the general Terrapin attack are
dependent on the messages exchanged after the handshake concludes. If you
are using a custom SSH service and do not resort to the authentication
protocol, you should check that dropping the first few messages of a connection
does not yield security risks.
</p>
<h3>Who is vulnerable?</h3>
<p>Almost everyone. The Terrapin attack exploits weaknesses in the SSH transport
layer protocol in combination with newer cryptographic algorithms and encryption
modes introduced by OpenSSH over 10 years ago. Since then, these have been adopted
by a wide range of SSH implementations, therefore affecting a majority of current
implementations.</p>
<p>In practice, our attack can be applied against any connection using either
ChaCha20-Poly1305 or any CBC-mode cipher in combination with the Encrypt-then-MAC paradigm.
Theoretically, CTR-mode ciphers in combination with the Encrypt-then-MAC paradigm are
vulnerable as well, although this weakness cannot be exploited in a real-world scenario.</p>
<h3>So how practical is the attack?</h3>
<p>The Terrapin attack requires an active Man-in-the-Middle attacker, that means some way
for an attacker to intercept and modify the data sent from the client or server
to the remote peer. This is difficult on the Internet, but can be a plausible
attacker model on the local network.</p>
<p>Besides that, we also require the use of a vulnerable encryption mode. Encrypt-then-MAC
and ChaCha20-Poly1305 have been introduced by OpenSSH over 10 years ago. Both have
become the default for many years and as such spread across the SSH ecosystem. Our scan
indicated that at least 77% of SSH servers on the internet supported at least one
mode that can be exploited in practice.</p>
<h3>Is my SSH client/server vulnerable?</h3>
<p>Most likely, yes.</p>
<p>In more technical terms, if your SSH implementations supports (and is configured to offer) the
<code>chacha20-poly1305@openssh.com</code> encryption algorithm, or any encryption algorithm suffixed
<code>-cbc</code> in combination with any MAC algorithm suffixed <code>-etm@openssh.com</code>,
you are vulnerable to Terrapin.
</p>
<p>You can use our <a href="#scanner">vulnerability scanner</a> to determine whether your client or server is vulnerable.</p>
<h3>I patched my SSH client/server, am I safe now?</h3>
<p>It depends. The strict key exchange countermeasure implemented by OpenSSH and other vendors
requires both, client and server, to support it, in order to take effect. Connecting a vulnerable
client to a patched server, and vice versa, still results in a vulnerable connection.</p>
<h3>Does this vulnerability have a CVE number?</h3>
<p>
Yes. We got assigned a total of three CVE numbers. These are:
<ul>
<li>CVE-2023-48795: General Protocol Flaw</li>
<li>CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH</li>
<li>CVE-2023-46446: Rogue Session Attack in AsyncSSH</li>
<li>CVE-2024-41909: General Protocol Flaw (Apache MINA SSHD)</li>
</ul>
</p>
<h3>Is this a new attack?</h3>
<p>The Terrapin attack can be considered the first attack in a new family of attacks
targeting cryptographic network protocols and is the first ever practically exploitable
prefix truncation attack that we know of. The only other mentioning of a prefix truncation
attack was by Cédric Fournet on behalf of the miTLS team on an
<a href="https://mailarchive.ietf.org/arch/msg/tls/extoO9ETJLnEm3MRDTO23x70DFM/">IETF mailing list</a>. Fournet
described potential weaknesses in a draft version of TLS 1.3 that used to not reset sequence
numbers when activating new keys, although his considerations remained theoretical as "[...]
prefix truncations will probably cause the handshake to fail". The draft was subsequently
changed and no prefix truncation attacks in TLS 1.3 are known to this date.
</p>
<h3>Why is the attack called "Terrapin"?</h3>
<p>The name "Terrapin" started as an acronym, but considering how tortured it looked,
we opted to drop the acronym part and only retained the name. We chose this name
because SSH and terrapins have one thing in common: Shells. And I think we can all
agree that terrapins (and turtles in general) are cute animals.</p>
<h3>How have vendors responded to this vulnerability?</h3>
<p>Many vendors have updated their SSH implementation to support an optional strict
key exchange. Strict key exchange is a backwards-incompatible change to the SSH
handshake which introduces sequence number resets and takes away an attacker's capability
to inject packets during the initial, unencrypted handshake. However, to take effect, both
client and server must support this feature.</p>
<h3>What about other protocols?</h3>
<p>To this date, we are not aware of any practical prefix truncation in other cryptographic
network protocols. All versions of TLS reset the message sequence number to zero when
changing key, therefore decoupling unencrypted and encrypted sequence numbers. Additionally,
TLS authenticates the entire handshake thus preventing an attacker from inserting
any message. While IPSec/IKE only authenticates parts of its handshake, the sequence numbers
are reset similar to TLS, rendering it immune to our attack.</p>
<h3>What about other cipher modes?</h3>
<p>AES-GCM (RFC5647) is not affected by Terrapin as it does not use the SSH sequence numbers.
Instead, AES-GCM uses the IV obtained from key derivation as its nonce, incrementing it
after sending a binary packet. In a healthy connection, this results in the nonce being
at a fixed offset from the sequence number.
</p>
<p>The original Encrypt-and-MAC paradigma from RFC4253 protects the integrity of the plaintext,
thus thwarting our attack, which yields one pseudorandom block during decryption.
</p>
<h3>Is this vulnerability severe enough to deserve a name, a logo and a web page?</h3>
<p>Terrapin is not a simple software bug that can be fixed with an update
to a single library or component. Instead, clients and servers need
to be updated to protect the connection against prefix truncation
attacks. This means we need to raise awareness of the issue across all
SSH client and server implementations, which is a considerable effort. We expect
that the general Terrapin attack will stay with us for many years, so we
have a cute animal to keep us company while we help clients and servers
to adopt the suggested countermeasures!</p>
<h3>How can I contact you?</h3>
<p>You can reach us via mail, Twitter, or Mastodon:</p>
<ul>
<li>Fabian Bäumer, Ruhr University Bochum,
<a href="https://x.com/TrueSkrillor">@TrueSkrillor</a>,
<a href="https://infosec.exchange/@Skrillor">@Skrillor@infosec.exchange</a>,
fabian.baeumer@rub.de</li>
<li>Marcus Brinkmann, Ruhr University Bochum,
<a href="https://x.com/lambdafu">@lambdafu</a>,
<a href="https://mastodon.social/@lambdafu">@lambdafu@mastodon.social</a>,
marcus.brinkmann@rub.de</li>
<li>Jörg Schwenk, Ruhr University Bochum,
<a href="https://x.com/JoergSchwenk">@JoergSchwenk</a>,
joerg.schwenk@rub.de</li>
</ul>
<h3>Responsible Disclosure Timeline</h3>
<ul>
<li>2023-10-17: Initial contact with OpenSSH and Ron Frederick (author of AsyncSSH)</li>
<li>2023-11-08: AsyncSSH published a patched version fixing the implementation bugs</li>
<li>2023-11-17: Initial contact with 17 other SSH implementation vendors (round 1)</li>
<li>2023-11-17: Disclosed findings to the German CERT-Bund. Findings were later forwarded to partnered CERTs by CERT-Bund.</li>
<li>2023-11-21: Initial contact with 12 other SSH implementations after initial feedback from round 1 (round 2)</li>
<li>2023-12-11: Disclosed findings to the distros mailing list</li>
<li>2023-12-18: Public Disclosure</li>
</ul>
</section>
<section id="acknowledgements">
<a class="acknowledgement" href="https://ruhr-uni-bochum.de">
<img id="logo-rub" src="media/img/Logo_RUB.png" alt="Ruhr University Bochum Logo">
</a>
<a class="acknowledgement" href="https://hgi.rub.de">
<img id="logo-hgi" src="media/img/Logo_HGI.jpg" alt="HGI Logo">
</a>
<a class="acknowledgement" href="https://casa.rub.de">
<img id="logo-casa" src="media/img/Logo_CASA.png" alt="CASA Logo">
</a>
</section>
<footer>
<p class="text-muted">Last updated 2024-09-02. The Terrapin
website is free to use under
a <a href="//creativecommons.org/publicdomain/zero/1.0/">CC0</a>
license. Web design by <a href="http://sarahmadden.com/">Sarah
Madden</a> and Christian Dresen.
Adapted for Terrapin by Fabian Bäumer.
The Terrapin logo was designed
by <a href="https://www.fiverr.com/tnhs_project">tnhs_project</a>.
| <a href="imprint.html">Imprint</a></p>
</footer>
</body>
</html>