OpenSSH and Various SSH Libraries Terrapin Attack Vulnerability Allowing Security Downgrade

A vulnerability exists in the SSH transport protocol with certain OpenSSH extensions, prior to version 9.6, as well as in several other products. This vulnerability allows remote attackers to bypass integrity checks by omitting certain packets from the extension negotiation message. As a result, a client and server may end up with a connection that has downgraded or disabled security features, known as a Terrapin attack. The issue arises from a mishandling of the handshake phase and sequence numbers in the SSH Binary Packet Protocol, particularly affecting the use of ChaCha20-Poly1305 and CBC with Encrypt-then-MAC. The vulnerability is present in multiple SSH implementations, including libraries and tools such as PuTTY, AsyncSSH, and Paramiko, among others.

Impact

Exploitation of this vulnerability allows a Man-in-the-Middle attacker to delete packets from the SSH extension negotiation, disabling certain security features and countermeasures, particularly those introduced in OpenSSH 9.5.

Reproduction

The vulnerability can be reproduced by establishing an SSH connection using a client that does not support the 'kex-strict' extension, which is available in OpenSSH 9.6 and some other SSH implementations. During the key exchange, an attacker can inject SSH_MSG_IGNORE messages to remove SSH_MSG_EXT_INFO messages after the key exchange, exploiting the lack of authentication for the ignored messages and the delayed sequence number checks.

Remediation

Users can update to the latest version of OpenSSH or another affected SSH library that has implemented the 'kex-strict' countermeasure. For products that do not yet support this, the affected algorithms can be disabled as a temporary workaround.