Unveiling Terrapin: A New Threat to SSH Security

SSH (Secure Shell) has long been hailed as a reliable protocol for secure network access, widely used for remote terminal logins and file transfers. However, the fortress of secure online connections now faces a dilemma – the Terrapin attack. In this blog, we delve into the intricacies of Terrapin, its potential impact on existing password-based authentication systems, and how organizations can safeguard against this insidious attack. Ready to plunge into the chaos? Buckle up, and let's explore!

Understanding Terrapin

Terrapin is not your average security vulnerability; it's a prefix truncation attack specifically designed to exploit weaknesses in the SSH protocol. By manipulating sequence numbers during the handshake process, an attacker can selectively remove messages from the beginning of the secure channel without detection. Imagine a hacker manipulating the building blocks of your messages, pulling them out one by one without you even batting an eye!

The Attack in Action

The Terrapin attack is not just theoretical; it has real-world implications. Attackers can downgrade connection security by truncating essential messages, such as the extension negotiation message (RFC8308). This truncation can lead to the use of less secure client authentication algorithms and the deactivation of specific countermeasures in OpenSSH 9.5.

The vulnerability has been assigned following CVEs

• CVE-2023-48795 (CVSSv3 : 5.9 MEDIUM) - General Protocol Flaw
• CVE-2023-46445 (CVSSv3 : 5.9 MEDIUM) - Rogue Extension Negotiation Attack in AsyncSSH
• CVE-2023-46446 (CVSSv3 : 6.8 MEDIUM) - Rogue Session Attack in AsyncSSH

Downsides for Password-Based Authentication

Password-based authentication systems are particularly vulnerable to the Terrapin attack. The attack allows an adversary to compromise the integrity of the secure channel, potentially leading to unauthorized access and exploitation of implementation flaws. Picture this: attackers downgrade your connection security by snipping crucial messages. Your passwords might be waltzing into the wrong hands. This could result in attackers signing victims into other accounts without detection, paving the way for sophisticated phishing attacks. Just beware that Terrapin's not a party crasher; it's the DJ changing the beats!

Mitigating the Threat

To perform the Terrapin attack, a Man-in-the-Middle attacker is required, along with a cozy spot in local networks, making it challenging on the open internet. However, within local networks, where MITM attacks are plausible, the threat becomes more significant. Furthermore, the attack focuses on SSH connections that use widely adopted encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.

Vulnerability Scanner

To assist organizations in determining vulnerability, a simple console application is developed in Go. This tool helps identify if an SSH server or client is susceptible to the Terrapin attack based on the offered encryption modes and support for strict key exchange countermeasures.

Conclusion: A Safer Alternative at PureID

With Certificate-based authentication, the risk of MITM is mitigated as certificates are bound with IP addresses. Any man-in-the middle will not be able to replay the client certificate, manipulate the handshake & successfully establish TLS connection.

PureID's ZITA (Just in Time Access) fully eliminates the risk of Terrapin along with any MITM attack. This approach, unlike outdated password-based systems, stands resilient against Terrapin. As the threat landscape evolves, prioritizing advanced authentication mechanisms becomes paramount for ensuring a secure network environment. Forget passwords; they're so yesterday! Join the secure squad – it’s the future!