German security researchers published a ** to disclose an attack on the SSH transmission layer interaction protocol, and named it the water turtle (water turtle) attack.
Terrappel attacks manipulate serial numbers during handshakes, thereby compromising the integrity of SSH channels when using certain widely used encryption modes. This action allows an attacker to delete or modify messages exchanged over a communication channel, resulting in OpenSSH 9The public key algorithm used for user authentication in 5 downgrades or disables defenses against keystroke timing attacks.
The Terrapinus attack exploits a weakness in the SSH transport layer protocol, which introduced cryptographic algorithms and patterns for OpenSSH more than a decade ago. Terrapinus attacks reduce the security of established connections by truncating important negotiation messages without the client or server noticing.
Researchers at the Ruhr University in Bochum, Germany, who developed the Terrapinus Attack, also discovered an implementation flaw exploitable in asyncssh. The vulnerabilities associated with Terrapinian attacks are tagged as: CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446. CVE-2023-48795 is a generic SSH protocol vulnerability and CVE-2023-46445 and CVE-2023-46446 (asyncSSH in 2.) for specific Python SSH clients14.2).
Altern turtle attacks must be in an intermediate adversary (MITM) position at the network layer to intercept and modify the handshake exchange (man-in-the-middle attack), and the SSH handshake uses chacha20-poly1305 or chacha20-poly1305 or chacha20-poly1305 to secure the connection between CBC and Encrypt-Then-MAC.
The data in the exchanged messages after the handshake is complete determines the severity of the impact of the attack.
Terraptune attack (CVE-2023-48795) is a prefix truncation attack that allows MITM attackers to degrade the security of SSHv2 connections during extended negotiation. The issue is the same as in 2015 in TLS 13 The issues found and fixed in the draft phase are similar.
"A successful Terraptune attack could lead to the use of less secure client authentication algorithms and the deactivation of OpenSSH 9., the study states5 specific countermeasures against keystroke timed attacks. "In some very special cases, it can be used to decrypt some secrets, such as the password or part of the password when a user logs in, but this is only theoretical, and it is almost impossible to succeed in a practical scenario.
A simple process is:
When an SSH client connects to an SSH server, the two parties shake hands and exchange information in plaintext before establishing a secure encrypted channel. There are two sequence counters for each side: one for received messages and one for sent messages. Whenever a message is sent or received, the relevant sequence counter is incremented;As a result, the counter constantly records the number of messages sent and received by each party.
The above handshake uses the SSH handshake for finite field diffie-hellman key exchange. The included serial number is implicit and maintained by the BPP. snd represents the counter of the sent packet and rcv represents the counter of the received packet. Serial numbers verified with verified cryptography are shown in bold.
As a man-in-the-middle attack, the Terrapinus involves injecting a plaintext "ignored" message into a pre-secure connection during a handshake, making the client think it is coming from the server and incrementing its sequence counter for the received message. Otherwise, the message will be ignored. Then, once a secure channel is established, the MITM attacker prevents the server from sending messages to the client about the additional defenses. It doesn't matter if the message is encrypted or not: the attacker simply blocks the message from arriving without the client never seeing it and not acting on it.
Because of the previously inserted plaintext ignore message, the client still ends up receiving the expected number of messages, and the server thinks it sent the correct number of messages.
Even if the message is intercepted and blocked by a man-in-the-middle attacker during initialization, it is critical that the send and receive sequence counters appear correct on both sides, as these counts are then used to verify the integrity of the handshake process. If the count is correct, the connection is allowed to continue. This is why the "ignore" message is inserted, so that when the extended message is blocked in the secure channel, neither the client nor the server knows anything.
Illustration of a novel prefix truncation attack by researchers on BPP. The server sends sc1 and sc2, but the client only receives sc2.
You can insert any number of "ignore" messages to eliminate messages from the server to the client during connection establishment. In this way, it is possible to disrupt the settings of the connection, reduce the security used, disable extensions, and potentially exploit deeper weaknesses in a particular client or server implementation.
All in all, the encryption algorithm used by the secure channel is critical to the success of the SSH connection.
Three potentially affected algorithms were analyzed in the Terrapinus Attack Study:
chacha20-poly1305was determined to be "vulnerable and fully exploitable".
cbc-encrypt-then-mac (cbc-etm)It is also vulnerable to attack and can be exploited "probabilistically", but depending on the implementation, the attack may fail.
ctr-encrypt-then-macThere are also vulnerabilities in the algorithm, but they can't actually be exploited.
According to the study, more than three-quarters of public-facing SSH servers support "at least one mode that can be exploited in practice" at 77%, and 57% set the exploitable algorithm as their preferred choice.
Although there are specific requirements for the Terrapinus attack, the encryption pattern described above is widely used in the real world (77% according to the survey), making the attack feasible in real-world scenarios.
A number of related software vendors are gradually mitigating security issues. One solution is to implement a strict key exchange that makes packet injection during the handshake impossible.
However, it will take some time for this problem to be universally resolved, and strict key exchange countermeasures will only be effective if implemented on both the client and the server.
Researchers have released a security scanning tool (GitHub: rub-nds terrapin-scanner) on GitHub for the Terrapin-Scanner vulnerability, which administrators can use to determine if an SSH client or server is vulnerable.
Since the biggest mitigating factor for a terrhagian attack is the MITM requirement (man-in-the-middle attack), this makes its threat appear less severe. Therefore, for most people, it is okay to avoid urgently upgrading the relevant patches for the time being, and instead set up the corresponding mitigation measures.
In the early stages, assessing the full severity of the protocol flaws that made the Terrapinus attack possible was difficult because it depended on a series of variables that changed with the network and were not well understood by the researchers.
Currently, researchers have devised two methods to exploit prefix truncation attacks. One way to do this is to downgrade OpenSSH and some of the extensions that other SSH applications can use to protect the connection. Countermeasures to begin to provide:
For example, an extension downgrade can disable OpenSSH version 9 released from October5。The extension protects against keystroke timing, a type of attack that can accurately type words by measuring the timing between keystrokes.
Terrhagine attacks can also override old extended parameters specifying the use of SHA2 cryptographic hash functions. Therefore, SSH will use the weaker SHA1 instead.
The most classic exploit of the Terrapinus attack is that the study involves two vulnerabilities specific to asyncSSH (CVE-2023-46445 and CVE-2023-4644).
asyncSSH is an SSH implementation of the Python language, with an estimated 60,000 times per day**. One of the leaks, CVE-2023-46445, could be exploited to replace the extended message messages sent by the server, giving the attacker control over their content, which is more serious than a normal attack that simply drops the message. The vulnerability works when a client using asyncSSH connects to a server using any type of SSH software, while both transmit an "extinfo" message (as described in the SSH protocol).
The Terraptune exploit CVE-2023-46446 allows an attacker to take control of the remote end of an SSH client session by injecting or deleting packets or impersonating an established shell when a client using any SSH application connects to a server running asyncSSH.
CVE-2023-46446 In the worst-case scenario, the asyncSSH server starts a shell for the authenticated user on connection, switching the user to the authenticated user. In this case, the attacker can prepare a modified shell in advance to carry out a perfect phishing attack and become a man-in-the-middle for the application layer. This vulnerability does not affect connections when the username of an authenticated user is not used outside of authentication".
Researchers are quick to say that this is not a defect that requires people to put down their tools and prioritize fixing. "The attack requires an active man-in-the-middle attacker who can intercept and modify connection traffic at the TCP IP layer," they said. In addition, chacha20-poly1305 or any cbc cipher needs to be negotiated, combined with encrypt-then-mac as the encryption mode for the connection. ”
It's a good idea to keep an eye on patches or updates and install them if you can: for example, if you're using Linux, these should come in via the usual distro update method.
openssh 9.6It has been released, and it solves the problem of Terrapinus attacks with a strict key exchange protocol, which should be able to stop these attacks if both the server and the client support them.
But connecting a vulnerable client to a patched server, or vice versa, still results in a vulnerable connection. So the client also needs to be upgraded at the same time.
Currently putty 08 releases can be water turtle attack issues. libssh also released libssh 010.6 and libssh 09.8 to fix the problem.
In addition to installing updates, admins can also install updates through theDisable the affected encryption mode in the SSH server configuration to mitigate the attackand switch to less vulnerable algorithms such as AES-GCM.
However, this setting is also risky, if the server is not properly configured or the client does not support it, it may cause the client to not be able to connect to the server, so be cautious to verify and apply it on **.
In addition, when using the AES-GCM algorithm, the older version of OpenSSH (62 and 63) It is also susceptible to buffer overflow and needs to be careful.