SSH Transport Protocol Vulnerability

Advisory ID: ngCERT-2024-0014

Summary: 

Vulnerability assessment revealed the presence of a security flaw in SSH transport protocol found in versions of OpenSSH older than 9.6 and other products. The weakness could allow remote attackers to bypass integrity checks, leading to downgraded or disabled security features within a client and server connection, also known as a Terrapin Attack. This could lead to unauthorized access to sensitive information or compromise of network security. Accordingly, users and systems administrators are advised to take proactive steps to guard against exploits by threat actors.

Threat Type(s): Terrapin Attack

Impact/Vulnerability: CRITICAL/HIGH

Product(s): OpenSSH, LibSSH, PuTTY, AsyncSSH, Dropbear SSH, Transmit, paramiko and golang-go.crypto

Platform(s): SSH Transport Protocol 

Version(s): OpenSSH before 9.6 and All versions of SSH software and libraries

Description: 

The SSH transport protocol found in OpenSSH before 9.6 and other SSH software and libraries allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), causing security features to be downgraded or disabled within a client and server connection (a Terrapin Attack). This allows attackers to exploit the SSH protocol, potentially gaining unauthorized access to sensitive information or compromising network security. Notably, Terrapin method of attack alters SSH data during the handshake between servers and devices, functioning as a Man-in-the-middle (MITM) between connections that exist between remote administrators and their core, or on-prem, network. While this CVE is classified as moderate because the attack requires an active MITM to intercept and modifies a connection’s traffic at the TCP/IP layer, it does allow attackers to delete consecutive messages. Some of the vulnerable products and versions include, OpenSSH versions before 9.6 and other software and libraries, such as LibSSH, PuTTY, AsyncSSH, Dropbear SSH, Transmit, paramiko and golang-go.crypto.

Solution:  

The following are recommended:

• System administrators should carry out organizations inventory and scan all systems with vulnerable SSH versions.
• Organizations should patch their SSH implementations with the latest security updates.
• System administrators and users should carry out regular review and update of SSH key management practices.
• Regular security audits and adopting a layered security approach.
• Implementation of robust firewalls, intrusion detection systems, and rigorous access controls to significantly reduce the risk of such vulnerabilities.

References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-48795

• https://nvd.nist.gov/vuln/detail/CVE-2023-48795

• https://www.fortiguard.com/psirt/FG-IR-23-490

• https://blog.qualys.com/vulnerabilities-threat-research/2023/12/21/ssh-attack-surface-cve-2023-48795-find-and-patch-before-the-grinch-arrives-with-cybersecurity-asset-management