Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT

Attack Discovered Against SSH (arstechnica.com) 66

jd writes: Ars Technica is reporting a newly-discovered man-in-the-middle attack against SSH. This only works if you are using "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC", so it isn't a universal flaw. The CVE numbers for this vulnerability are CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.

From TFA:

At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake -- the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

This discussion has been archived. No new comments can be posted.

Attack Discovered Against SSH

Comments Filter:
  • The article is pretty light on details, what about the mitigation of the problem?

    • Disable that algorithm I guess.

    • Re:Patch? (Score:5, Informative)

      by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Wednesday December 20, 2023 @08:43AM (#64093099) Homepage Journal

      A scanner is available for detecting vulnetability: https://terrapin-attack.com/ [terrapin-attack.com]

      OpenSSH has released a patch:
      https://lwn.net/ml/oss-securit... [lwn.net]
      https://lwn.net/Articles/95568... [lwn.net]

      I imagine distributions are building fresh binaries now, some may have already released them. The others won't be far behind.

      I can find no news about a Microsoft patch, so Windows machines (which now include SSH) will remain vulnerable.

    • Re: Patch? (Score:5, Informative)

      by pitch2cv ( 1473939 ) on Wednesday December 20, 2023 @08:44AM (#64093109)

      Upstream had been patched, so keep an eye on distro for security updates:
      https://github.com/openssh/ope... [github.com]

      Now again, like last month, the issue will persist in devices that cannot be upgraded, that never receive (firmware?) updates..

    • it is not ssh in itself, those two apps "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC" are vulnerable to that terrapin malware, i never heard of them because i dont use ssh much, i am more of an ftp kind of guy when it comes to moving files around
      • Re: Patch? (Score:5, Informative)

        by nicubunu ( 242346 ) on Wednesday December 20, 2023 @09:11AM (#64093187) Homepage

        "ChaCha20-Poly1305" is not an app, but one of the multiple encryption algorithms that can be used by SSH. Mitigation is simple: just use a different encryption or update SSH. current version is fixed.

        • by Anonymous Coward
          More than likely you have the cipher enabled. Check with "ssh -Q cipher":

          # ssh -Q cipher 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com #

        • > "ChaCha20-Poly1305" is not an app, but one of the multiple encryption algorithms that can be used by SSH. Mitigation is simple: just use a different encryption

          I already use triple-ROT13

      • by Tarlus ( 1000874 )

        FTP works very well if you aren't worried about privacy. (Uploading graphics and HTML files to a public web server, for instance.)

        • Hell yea. Let's ftp because we can. And disregard its RFC is almost 40 years old and predates NAT and firewalls. Let"s make the client listen to connections from the server, mingle the files and not care about byte-size either way. Dropped a bit here or there? Nobody will notice, and with the fast new connection you might not even notice the dozen connections (literally!!) for one file transfer.

          What could possibly go wrong.

    • by gweihir ( 88907 )

      Simply disable Poly1305 and CBC-encrypt-then-MAC. Although Openssh does not seem to have any CBC in the default config and while ChaCha20-poly1305 is in there, it does not seem to be used by default.

      Hence doing nothing may already be enough.

      • Erh.... ChaCha20-poly1305 is active by default in OpenSSH [iacr.org] and afaik in pretty much every Distri out there? (Can only conform for Debian 12 and RHEL 8 for now).

        (just search for OpenSSH in the document, there's only one occurrence reading "In addition, ChaCha20-Poly1305 is the default AEAD scheme in OpenSSH, WireGuard, OTRv4, and the Bitcoin Lightning Network."

        But that second part of that statement made me curious, so I dug a bit deeper and it seems that ChaCha is the default Cipher/MAC for "the bitcoin p2p n [ycombinator.com]

        • by gweihir ( 88907 )

          Hmm. The server I tested it against does not have it at all. My client had it, now disabled. Both Debian oldoldstable. No idea why the difference. Maybe I did not compile it into the kernel on the server.

          • I just checked my client ... I barely even dare say what it would have accepted. I didn't know 3des is still even in OpenSSH...

            Server is only AES. If you control both sides of the communication, it's pretty trivial to dictate the supported ciphers. Yeah, I was lazy, I know, very bad practice...

            • by gweihir ( 88907 )

              Ooops ;-)

              I did find why no ChaCha/poly-1305 on my servers. Apparently there were concerns regarding the NSA for some ciphers, so I restricted the cipher-suite a few years ago and these also went out the window as side-effect.

              • (tinfoil-hat on)
                Think it may have been the NSA's doing, that they deliberately kept this little tidbit in so they could MitM SSH conversations? Did they also infiltrate bitcoin operations and convince them to use their "broken" cipher so they can monitor them with ease?
                (tinfoil-hat off)

                I love messing with the minds of conspiracy loons.

                • by gweihir ( 88907 )

                  Hehehehe, nice!

                  • I'm pretty sure there's some "secret" society out there doing a social experiment where its members meet once a month and try to come up with a more harebrained conspiracy scheme in the quest of finding one that finally nobody believes.

                    So far, they were unsuccessful.

                    • by gweihir ( 88907 )

                      Have a look at small and large cults (a.k.a. "religion") for some incredible extremes of what people are willing to believe. I do not think some of that crap can even be topped. Language is just not powerful enough.

                    • There is a nontrivial overlap between "people who are religious" and "people who believe harebrained conspiracy stories". It really does look like the latter group is a subset of the first.

                      I guess the logic is "you believe one bullshit story, you can as well believe any".

                    • by gweihir ( 88907 )

                      True, that. Basically "He is the messiah! I must know, I have followed a few!"

                      The only addition I have is that "religion" comes in a few non-standard forms like anti-vaxxers or physicalists or even some political leanings.

                    • Let's replace "religion" with "dogma". Whether people are impervious to logic and reason is not dependent on their delusion being supernatural based.

                    • by gweihir ( 88907 )

                      I fully agree to that. "Dogma" and "dogmatic" captures this effect very well.

  • At least for OpenSSH these seem not to be defaults.

    • by gweihir ( 88907 )

      Ok, I checked again. For whatever reasons, I do not have chacha-poly1305 active on my servers (it was not disabled in the config), just on one client. Hence a test-login did not give me that combo at all. Self-login on that client did. So definitely make sure to disable.

      • by gweihir ( 88907 )

        And one more: I restricted the ciphers in my servers a few years back because concerns about the NSA and chacha-poly1305 got disabled as a side-effect as well.

        My apologies. I should do better fact checking. Next time.

  • Maybe there's actually some logic to the lengthy review and validation process. Even if there are NSA backdoors in the approved stuff there's incentive to make them more difficult to exploit considering the immense impact of having to change them.
  • by RemindMeLater ( 7146661 ) on Wednesday December 20, 2023 @07:53PM (#64094849)
    ffs, just tell us the config flag to set to work around this bug.
    • by Sven77 ( 5290317 )

      Ciphers -chacha20-poly1305@openssh.com

      • This is an SSH protocol vulnerability, not just a bug in OpenSSH, so don't forget to patch or reconfigure all your other SSH servers and clients (like on your routers and firewalls), libraries (e.g. libssh/libssh2), and Go/Python/Rust programs that have SSH statically built in.

        https://terrapin-attack.com/patches.html [terrapin-attack.com]

        Some other SSH implementations have severe exploits enabled by this vulnerability, like being able to log in as another user.

You are always doing something marginal when the boss drops by your desk.

Working...