"Terrapin" MitM attack / CVE-2023-48795 #2337
Labels
Comments
|
CI is green now that I fixed some speling and inserted the final OpenSSH version number in our changelog. Waiting on a final thumbs up from the researchers re: additional fixes I put in yesterday, and will then plop this out on PyPI. |
|
3.4 is on PyPI! https://www.paramiko.org/changelog.html#3.4.0 |
|
@bitprophet could you clarify exactly what is the patch here? 96db1e2 and 33508c9? i believe debian will need to backport the fixes to 2.7.2 and 2.4.2, your input on that would be tremendously useful... |
|
Not upstream, but there is above mentioned a branch where the fixes were developed, so all what is between/covered by 2566d2d...3e4bdf9 is needed for the fixes? |
renovate bot
added a commit
to sheldonhull/az-pr
that referenced
this issue
Dec 25, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | golang.org/x/crypto | `v0.16.0` -> `v0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | copilot:all ### GitHub Vulnerability Alerts #### [CVE-2023-48795](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) ### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. --- ### Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details ##### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ##### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ##### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ##### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) - [https://nvd.nist.gov/vuln/detail/CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) - [apache/mina-sshd#445 - [hierynomus/sshj#916 - [janmojzis/tinyssh#81 - [mwiede/jsch#457 - [paramiko/paramiko#2337 - [proftpd/proftpd#456 - [NixOS/nixpkgs#275249 - [libssh2/libssh2#1291 - [mwiede/jsch#461 - [https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0](https://togithub.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0) - [https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab](https://togithub.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5](https://togithub.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5) - [https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3](https://togithub.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3) - [https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951](https://togithub.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951) - [https://access.redhat.com/security/cve/cve-2023-48795](https://access.redhat.com/security/cve/cve-2023-48795) - [https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/) - [https://bugs.gentoo.org/920280](https://bugs.gentoo.org/920280) - [https://bugzilla.redhat.com/show_bug.cgi?id=2254210](https://bugzilla.redhat.com/show_bug.cgi?id=2254210) - [https://bugzilla.suse.com/show_bug.cgi?id=1217950](https://bugzilla.suse.com/show_bug.cgi?id=1217950) - [https://crates.io/crates/thrussh/versions](https://crates.io/crates/thrussh/versions) - [https://forum.netgate.com/topic/184941/terrapin-ssh-attack](https://forum.netgate.com/topic/184941/terrapin-ssh-attack) - [https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6) - [https://github.com/TeraTermProject/teraterm/releases/tag/v5.1](https://togithub.com/TeraTermProject/teraterm/releases/tag/v5.1) - [https://github.com/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) - [https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22](https://togithub.com/connectbot/sshlib/compare/2.2.21...2.2.22) - [https://github.com/drakkan/sftpgo/releases/tag/v2.5.6](https://togithub.com/drakkan/sftpgo/releases/tag/v2.5.6) - [https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42](https://togithub.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42) - [https://github.com/erlang/otp/releases/tag/OTP-26.2.1](https://togithub.com/erlang/otp/releases/tag/OTP-26.2.1) - [https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25](https://togithub.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25) - [https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15](https://togithub.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15) - [https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16](https://togithub.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16) - [https://github.com/openssh/openssh-portable/commits/master](https://togithub.com/openssh/openssh-portable/commits/master) - [https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/master/RELEASE_NOTES) - [https://github.com/rapier1/hpn-ssh/releases](https://togithub.com/rapier1/hpn-ssh/releases) - [https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst](https://togithub.com/ronf/asyncssh/blob/develop/docs/changes.rst) - [https://github.com/ronf/asyncssh/tags](https://togithub.com/ronf/asyncssh/tags) - [https://github.com/warp-tech/russh](https://togithub.com/warp-tech/russh) - [https://github.com/warp-tech/russh/releases/tag/v0.40.2](https://togithub.com/warp-tech/russh/releases/tag/v0.40.2) - [https://gitlab.com/libssh/libssh-mirror/-/tags](https://gitlab.com/libssh/libssh-mirror/-/tags) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/) - [https://matt.ucc.asn.au/dropbear/CHANGES](https://matt.ucc.asn.au/dropbear/CHANGES) - [https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC) - [https://news.ycombinator.com/item?id=38684904](https://news.ycombinator.com/item?id=38684904) - [https://news.ycombinator.com/item?id=38685286](https://news.ycombinator.com/item?id=38685286) - [https://oryx-embedded.com/download/#changelog](https://oryx-embedded.com/download/#changelog) - [https://security-tracker.debian.org/tracker/CVE-2023-48795](https://security-tracker.debian.org/tracker/CVE-2023-48795) - [https://security-tracker.debian.org/tracker/source-package/libssh2](https://security-tracker.debian.org/tracker/source-package/libssh2) - [https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg) - [https://security-tracker.debian.org/tracker/source-package/trilead-ssh2](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2) - [https://thorntech.com/cve-2023-48795-and-sftp-gateway/](https://thorntech.com/cve-2023-48795-and-sftp-gateway/) - [https://twitter.com/TrueSkrillor/status/1736774389725565005](https://twitter.com/TrueSkrillor/status/1736774389725565005) - [https://ubuntu.com/security/CVE-2023-48795](https://ubuntu.com/security/CVE-2023-48795) - [https://www.bitvise.com/ssh-server-version-history](https://www.bitvise.com/ssh-server-version-history) - [https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html) - [https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update) - [https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc) - [https://www.netsarang.com/en/xshell-update-history/](https://www.netsarang.com/en/xshell-update-history/) - [https://www.openssh.com/openbsd.html](https://www.openssh.com/openbsd.html) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) - [https://www.openwall.com/lists/oss-security/2023/12/18/2](https://www.openwall.com/lists/oss-security/2023/12/18/2) - [https://www.openwall.com/lists/oss-security/2023/12/20/3](https://www.openwall.com/lists/oss-security/2023/12/20/3) - [https://www.paramiko.org/changelog.html](https://www.paramiko.org/changelog.html) - [https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/) - [https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/) - [https://www.terrapin-attack.com](https://www.terrapin-attack.com) - [http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html) - [http://www.openwall.com/lists/oss-security/2023/12/18/3](http://www.openwall.com/lists/oss-security/2023/12/18/3) - [http://www.openwall.com/lists/oss-security/2023/12/19/5](http://www.openwall.com/lists/oss-security/2023/12/19/5) - [http://www.openwall.com/lists/oss-security/2023/12/20/3](http://www.openwall.com/lists/oss-security/2023/12/20/3) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-45x7-px36-x8w8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. This protocol weakness was also fixed in OpenSSH 9.6. #### Severity Unknown #### References - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2402) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/sheldonhull/az-pr). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
|
Yup, @carnil's got it, that diff notation appears to match to the branch linked in the OP. (I'm not sure why GH doesn't make it easier to examine branches post-merge. When I use tools like |
|
@anarcat ☝🏻 🙏🏻 |
|
Hi @bitprophet , I'm currently trying to fix paramiko for Debian buster (LTS). The version of paramiko in Debian buster is 2.4.2 - and I'd like to socialite your expertise to help me if my thoughts are correct. While backpacking the patches, I realized that 2.4.2. might not be vulnerable to terrapin at all, as it seems not to support certain features required to exploit the vulnerability: When using the terrapin Vulnerability Scanner , the tool seems to support the idea that this version is not vulnerable: (this is without the backported patches) Please correct any flaws in my thinking ;-) Thanks a lot, |
|
Hi @coldtobi, It looks like the scanner is accurate; I just looked it up and we only added ETM MAC modes in Paramiko 2.5. (and ChaCha20 is still not implemented, fwiw). And even Paramiko 2.5-2.8 are likely not super vulnerable, as EXT_INFO was only implemented in 2.9, and my understanding is that one of the main practical attacks with Terrapin is to force one end of the connection to disregard EXT_INFO. |
mend-for-github-com bot
added a commit
to DelineaXPM/dsv-k8s-sidecar
that referenced
this issue
Jan 15, 2024
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | golang.org/x/crypto | `v0.14.0` -> `v0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-48795](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) ### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. --- ### Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. This protocol weakness was also fixed in OpenSSH 9.6. #### Severity Unknown #### References - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2402) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) / [GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) / [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) <details> <summary>More information</summary> #### Details ##### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ##### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ##### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ##### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@​openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) - [https://nvd.nist.gov/vuln/detail/CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) - [PowerShell/Win32-OpenSSH#2189 - [apache/mina-sshd#445 - [cyd01/KiTTY#520 - [hierynomus/sshj#916 - [janmojzis/tinyssh#81 - [mwiede/jsch#457 - [paramiko/paramiko#2337 - [proftpd/proftpd#456 - [ssh-mitm/ssh-mitm#165 - [NixOS/nixpkgs#275249 - [libssh2/libssh2#1291 - [mwiede/jsch#461 - [https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0](https://togithub.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0) - [https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab](https://togithub.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab) - [https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d](https://togithub.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d) - [https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5](https://togithub.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5) - [https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3](https://togithub.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3) - [https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951](https://togithub.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951) - [https://access.redhat.com/security/cve/cve-2023-48795](https://access.redhat.com/security/cve/cve-2023-48795) - [https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/](https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/) - [https://bugs.gentoo.org/920280](https://bugs.gentoo.org/920280) - [https://bugzilla.redhat.com/show_bug.cgi?id=2254210](https://bugzilla.redhat.com/show_bug.cgi?id=2254210) - [https://bugzilla.suse.com/show_bug.cgi?id=1217950](https://bugzilla.suse.com/show_bug.cgi?id=1217950) - [https://crates.io/crates/thrussh/versions](https://crates.io/crates/thrussh/versions) - [https://filezilla-project.org/versions.php](https://filezilla-project.org/versions.php) - [https://forum.netgate.com/topic/184941/terrapin-ssh-attack](https://forum.netgate.com/topic/184941/terrapin-ssh-attack) - [https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6](https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6) - [https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta](https://togithub.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta) - [https://github.com/TeraTermProject/teraterm/releases/tag/v5.1](https://togithub.com/TeraTermProject/teraterm/releases/tag/v5.1) - [https://github.com/advisories/GHSA-45x7-px36-x8w8](https://togithub.com/advisories/GHSA-45x7-px36-x8w8) - [https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22](https://togithub.com/connectbot/sshlib/compare/2.2.21...2.2.22) - [https://github.com/drakkan/sftpgo/releases/tag/v2.5.6](https://togithub.com/drakkan/sftpgo/releases/tag/v2.5.6) - [https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42](https://togithub.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42) - [https://github.com/erlang/otp/releases/tag/OTP-26.2.1](https://togithub.com/erlang/otp/releases/tag/OTP-26.2.1) - [https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25](https://togithub.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25) - [https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15](https://togithub.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15) - [https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16](https://togithub.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16) - [https://github.com/openssh/openssh-portable/commits/master](https://togithub.com/openssh/openssh-portable/commits/master) - [https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES) - [https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES](https://togithub.com/proftpd/proftpd/blob/master/RELEASE_NOTES) - [https://github.com/rapier1/hpn-ssh/releases](https://togithub.com/rapier1/hpn-ssh/releases) - [https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst](https://togithub.com/ronf/asyncssh/blob/develop/docs/changes.rst) - [https://github.com/ronf/asyncssh/tags](https://togithub.com/ronf/asyncssh/tags) - [https://github.com/warp-tech/russh](https://togithub.com/warp-tech/russh) - [https://github.com/warp-tech/russh/releases/tag/v0.40.2](https://togithub.com/warp-tech/russh/releases/tag/v0.40.2) - [https://gitlab.com/libssh/libssh-mirror/-/tags](https://gitlab.com/libssh/libssh-mirror/-/tags) - [https://go.dev/cl/550715](https://go.dev/cl/550715) - [https://go.dev/issue/64784](https://go.dev/issue/64784) - [https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ](https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ) - [https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg) - [https://help.panic.com/releasenotes/transmit5/](https://help.panic.com/releasenotes/transmit5/) - [https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/](https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/) - [https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html](https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/) - [https://matt.ucc.asn.au/dropbear/CHANGES](https://matt.ucc.asn.au/dropbear/CHANGES) - [https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC](https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC) - [https://news.ycombinator.com/item?id=38684904](https://news.ycombinator.com/item?id=38684904) - [https://news.ycombinator.com/item?id=38685286](https://news.ycombinator.com/item?id=38685286) - [https://news.ycombinator.com/item?id=38732005](https://news.ycombinator.com/item?id=38732005) - [https://nova.app/releases/#v11.8](https://nova.app/releases/#v11.8) - [https://oryx-embedded.com/download/#changelog](https://oryx-embedded.com/download/#changelog) - [https://roumenpetrov.info/secsh/#news20231220](https://roumenpetrov.info/secsh/#news20231220) - [https://security-tracker.debian.org/tracker/CVE-2023-48795](https://security-tracker.debian.org/tracker/CVE-2023-48795) - [https://security-tracker.debian.org/tracker/source-package/libssh2](https://security-tracker.debian.org/tracker/source-package/libssh2) - [https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg](https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg) - [https://security-tracker.debian.org/tracker/source-package/trilead-ssh2](https://security-tracker.debian.org/tracker/source-package/trilead-ssh2) - [https://security.gentoo.org/glsa/202312-16](https://security.gentoo.org/glsa/202312-16) - [https://security.gentoo.org/glsa/202312-17](https://security.gentoo.org/glsa/202312-17) - [https://security.netapp.com/advisory/ntap-20240105-0004/](https://security.netapp.com/advisory/ntap-20240105-0004/) - [https://thorntech.com/cve-2023-48795-and-sftp-gateway/](https://thorntech.com/cve-2023-48795-and-sftp-gateway/) - [https://twitter.com/TrueSkrillor/status/1736774389725565005](https://twitter.com/TrueSkrillor/status/1736774389725565005) - [https://ubuntu.com/security/CVE-2023-48795](https://ubuntu.com/security/CVE-2023-48795) - [https://winscp.net/eng/docs/history#6.2.2](https://winscp.net/eng/docs/history#6.2.2) - [https://www.bitvise.com/ssh-client-version-history#933](https://www.bitvise.com/ssh-client-version-history#933) - [https://www.bitvise.com/ssh-server-version-history](https://www.bitvise.com/ssh-server-version-history) - [https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html](https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html) - [https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update](https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update) - [https://www.debian.org/security/2023/dsa-5586](https://www.debian.org/security/2023/dsa-5586) - [https://www.debian.org/security/2023/dsa-5588](https://www.debian.org/security/2023/dsa-5588) - [https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc) - [https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508](https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508) - [https://www.netsarang.com/en/xshell-update-history/](https://www.netsarang.com/en/xshell-update-history/) - [https://www.openssh.com/openbsd.html](https://www.openssh.com/openbsd.html) - [https://www.openssh.com/txt/release-9.6](https://www.openssh.com/txt/release-9.6) - [https://www.openwall.com/lists/oss-security/2023/12/18/2](https://www.openwall.com/lists/oss-security/2023/12/18/2) - [https://www.openwall.com/lists/oss-security/2023/12/20/3](https://www.openwall.com/lists/oss-security/2023/12/20/3) - [https://www.paramiko.org/changelog.html](https://www.paramiko.org/changelog.html) - [https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/](https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/) - [https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/](https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/) - [https://www.terrapin-attack.com](https://www.terrapin-attack.com) - [https://www.theregister.com/2023/12/20/terrapin_attack_ssh](https://www.theregister.com/2023/12/20/terrapin_attack_ssh) - [https://www.vandyke.com/products/securecrt/history.txt](https://www.vandyke.com/products/securecrt/history.txt) - [http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html](http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html) - [http://www.openwall.com/lists/oss-security/2023/12/18/3](http://www.openwall.com/lists/oss-security/2023/12/18/3) - [http://www.openwall.com/lists/oss-security/2023/12/19/5](http://www.openwall.com/lists/oss-security/2023/12/19/5) - [http://www.openwall.com/lists/oss-security/2023/12/20/3](http://www.openwall.com/lists/oss-security/2023/12/20/3) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-45x7-px36-x8w8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41Mi4wIiwidXBkYXRlZEluVmVyIjoiMzcuMTA4LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is just a tracking ticket to note that we are aware of the issue described here: https://terrapin-attack.com/ - and have been working with the researchers to release a new Paramiko version that mitigates the described attack pattern.
We expect to put out Paramiko 3.4 within the next day or so. The work in progress is here: https://github.com/paramiko/paramiko/tree/cve-2023-48795
The text was updated successfully, but these errors were encountered: