New vulnerabilities emerge into the spotlight almost every day, capturing the public’s attention for a fleeting moment before the next sinister incident occurs. This time, the Terrapin vulnerability takes center stage.
This vulnerability in the SSH protocol, identified as CVE-2023-48795, is a security flaw that affects all SSH connections using specific configurations in OpenSSH. Secure Shell (SSH) is a network protocol used for secure communication between systems, such as secure remote access, command execution, and file transfer over unsecured networks, such as the Internet. SSH provides strong authentication and encrypted data communication, ensuring security and confidentiality in network communications.
Terrapin allows an attacker to interfere with the SSH handshake process. The handshake begins with the client initiating a TCP connection, followed by an exchange of protocol versions as outlined in RFC4253. During this process, an attacker can exploit the vulnerability to cut critical parts of the exchange without disrupting the SSH connection, creating a significant security risk to both the SSH client and server.
In fact, the Terrapin vulnerability allows an attacker to downgrade secure signature algorithms and disable specific security measures, particularly in OpenSSH 9.5. Here’s how to find out if you’ve been attacked, fix the underlying vulnerability, and then clean up.
Detection
1. Review your SSH configurations.
Use the command ssh -Q cipher to list all ciphers supported by your SSH client. Search specifically [email protected] or any cipher in Cipher Block Chaining (CBC) mode and remove them.
Also, check your SSH configuration files (/etc/ssh/sshd_config for the server, ~/.ssh/config or /etc/ssh/ssh_config for the client) for lines like Digits aes256-ctr,aes192-ctr,aes128-ctr and remove them.
2. Perform version checking of the SSH client and server.
Run ssh -V about your customer e sshd -V on your server to check its versions. If they are older than OpenSSH 9.6p1, they may be vulnerable.
Pay special attention to the configurations mentioned in the file Report CVE-2023-48795.
3. Use specialized vulnerability scanners.
Use tools like Nessus or OpenVAS to scan your SSH implementations. These tools can automatically detect vulnerable SSH versions and configurations.
Prevention
4. Configure continuous monitoring of SSH traffic.
Implement monitoring tools to detect unusual SSH traffic patterns, indicating potential AitM attacks.
5. Align security policies with SSH best practices.
Regularly update your SSH configurations to use strong and current encryption algorithms.
Use strong figures like [email protected]and disable root access (PermitRootLogin n in sshd_config).
Also, replace passwords with public key authentication.
6. Perform regular SSH risk assessments and compliance checks.
Perform thorough SSH security checks using open source tools like OpenSCAP or your choice of commercial solutions to identify configuration weaknesses and outdated software.
Regularly check for compliance with standards such as the NIST or CIS benchmarks for SSH.
7. Automate updates for SSH software.
Implement a patch management process to regularly update your SSH software.
Use automated tools like Red Hat Satellite or WSUS for Windows systems to manage updates.
Monitor sources like OpenSSH mailing lists OR CVE databases for new vulnerabilities.
Quenching and tempering
8. Update OpenSSH.
The main solution is to update OpenSSH to version 9.6p1 or later. This can be done using your system’s package manager, such as run sudo apt-get update && sudo apt-get upgrade openssh-server on Ubuntu.
9. Adjust SSH configuration settings.
If you can’t update OpenSSH immediately, modify your SSH configuration to disable vulnerable codes:
-
For servers, edit /etc/ssh/sshd_config and set Digits aes256-ctr,aes192-ctr,aes128-ctr (excluding [email protected] and ciphers in CBC mode).
-
For clients, edit ~/.ssh/config or /etc/ssh/ssh_config similarly.
After making the changes, restart the SSH service using sudo systemctl restart sshd.
10. Keep up with ongoing security updates.
Regularly monitor and apply security updates to SSH clients and servers, as part of an ongoing security maintenance program.
By combining these methods, you can conduct a comprehensive security assessment to detect and resolve the Terrapin vulnerability in your SSH infrastructure.