Wiki English
Wiki EnglishWiki DeutschWiki Nederlands

Terrapin Attack

The Terrapin attack is a cryptographic attack on the commonly used SSH protocol that is used for secure command-and-control throughout the Internet.

The Terrapin attack can reduce the security of SSH by using a downgrade attack via man-in-the-middle interception. The attack works by prefix truncation; the injection and deletion of messages during feature negotiation, manipulating sequence numbers in a way that causes other messages to be ignored without an error being detected by either client or server.

Terrapin attack
Terrapin Attack
Logo for the Terrapin attack
CVE identifier(s)CVE-2023-48795
Date discovered19 December 2023; 4 months ago (2023-12-19)
DiscovererFabian Bäumer, Marcus Brinkmann, Jörg Schwenk (Ruhr University Bochum)
Affected softwareimplementations of the Secure Shell (SSH) protocol including OpenSSH
Websitehttps://terrapin-attack.com/

According to the attack's discoverers, the majority of SSH implementations were vulnerable at the time of the discovery of the attack (2023). As of January 3, 2024, an estimated 11 million publicly accessible SSH servers are still vulnerable. However, the risk is mitigated by the requirement to intercept a genuine SSH session, and that the attack can only delete messages at the start of a negotiation, fortuitously resulting mostly in failed connections. Additionally the attack requires the use of either ChaCha20-Poly1305 or a CBC cipher in combination with Encrypt-then-MAC modes of encryption. The SSH developers have stated that the major impact of the attack is the capability to degrade the keystroke timing obfuscation features of SSH.

The designers of SSH have implemented a fix for the Terrapin attack, but the fix is only fully effective when both client and server implementations have been upgraded to support it. The researchers who discovered the attack have also created a vulnerability scanner to determine whether an SSH server or client is vulnerable.

The attack has been given the CVE ID CVE-2023-48795. In addition to the main attack, two other vulnerabilities were found in AsyncSSH, and assigned the CVE IDs CVE-2023-46445 and CVE-2023-46446.

References


This article uses material from the Wikipedia English article Terrapin attack, which is released under the Creative Commons Attribution-ShareAlike 3.0 license ("CC BY-SA 3.0"); additional terms may apply (view authors). Content is available under CC BY-SA 4.0 unless otherwise noted. Images, videos and audio are available under their respective licenses.
®Wikipedia is a registered trademark of the Wiki Foundation, Inc. Wiki English (DUHOCTRUNGQUOC.VN) is an independent company and has no affiliation with Wiki Foundation.

Tags:

Cryptographic attackDowngrade attackMan-in-the-middle attackSSH

🔥 Trending searches on Wiki English:

SexAshley OlsenPaul McCartneyClive DavisChinaList of Marvel Cinematic Universe filmsHunter SchaferSobhita Dhulipala2022 FIFA World CupBrittney GrinerThe Mandalorian (season 3)Waco siegeBen AffleckMrs. DavisDaisy Jones & The Six2022–23 Premier LeagueBlood MeridianJimmy CarterRudhranMary-Kate OlsenRRR (film)MuhammadPonniyin SelvanCheryl HinesSandra BullockAngelina JolieRajaraja IIrrfan KhanSai PallaviBreaking BadSmile (2022 film)Tu Jhoothi Main MakkaarApril 29Ana de ArmasJudy BlumeBoston Marathon bombingLance ReddickSelfieeAdam SandlerOlivia RodrigoOppenheimer (film)Nicole KidmanNarendra ModiVivek RamaswamyMel GibsonAdipurushFootball at the 2023 Southeast Asian Games – Men's tournamentIOSDua LipaList of highest-grossing Indian filmsLukas Van NessMalik WillisDr. RomanticSelena GomezJapanVallavaraiyan VandiyadevanSuccession (TV series)Philippines2023 Mutua Madrid OpenRonnie O'SullivanTom HanksTom BradyLabour DayList of UFC eventsAlexander the GreatManchester City F.C.95th Academy AwardsMillie Bobby BrownAustin ReavesNewcastle United F.C.Robert F. KennedyWes AndersonGoogle LLCNullShrek (franchise)Anne HathawaySeptember 11 attacksAnthony Richardson (American football)🡆 More