SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)
**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.
Vulnerability Details
The SSH protocol, has a serious weak spot known as the Terrapin attack. This vulnerability messes with the initial handshake by changing sequence numbers, letting an attacker secretly delete messages right at the start of the session. If someone with the ability to intercept and tweak the communication (known as Man-in-the-Middle capabilities) exploits this flaw, they could lower the security of the SSH session. They can do this by cutting out important messages, making the session use weaker authentication methods and turning off defenses against certain types of hacking attacks.
Severity Rating
Medium
How to Verify if a Device is Vulnerable
Use Nessus plugin ID 187315 to scan the device for this vulnerability.
Or use the scanner delivered by https://terrapin-attack.com/#scanner
How to Fix
Please note, incorrect configuration or using a client that does not support certain algorithms might result in losing server access. Additionally, older OpenSSH versions, specifically 6.2 and 6.3, have a known vulnerability with AES-GCM that can lead to a buffer overflow.
You can see the affected versions and Patched versions here: https://terrapin-attack.com/patches.html
1. Update SSH Software: Ensure both client and server are using the latest version of SSH that includes patches for the vulnerability (See below for affected and patched versions).
2. Enforce Strict Key Exchange Policies: This prevents attackers from forcing the use of weaker cryptographic protocols.
The effectiveness of the strict key exchange measures implemented by OpenSSH and others depends on mutual support from both the client and the server. If either the client or the server is not updated to support these measures, the connection remains vulnerable, even if one side is patched.
Rollback
Remove the implementation of Strict Key Exchange Policies.
How to Verify the Fix
- Rescan the device with Nessus plugin ID 187315 and check for the vulnerability.
- Use the scanner at https://terrapin-attack.com/#scanner
Links (for additional resources and references)
