Attack Discovered Against SSH

jd writes: Ars Technica is reporting a newly-discovered man-in-the-middle attack against SSH. This only works if you are using "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC", so it isn't a universal flaw. The CVE numbers for this vulnerability are CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.

From TFA:

At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake -- the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

Re:

[Anonymous Coward]

Conservatives seem more concerned with "woke" issues than anyone else. Why are they always thinking about trans people and if someone has a big black cock? Not that it's gay or anything, but seriously does that woman have a big dick?

Re:

[apparently]

How's it offtopic? It's literally replying to the topic of the previous comment, you fucking nonce

Re:

[geekmux]

How is it off topic you ask? You tell me:

"Conservatives seem more concerned with "woke" issues than anyone else. Why are they always thinking about trans people and if someone has a big black cock? Not that it's gay or anything, but seriously does that woman have a big dick?"

Regardless of the initial comment, THAT response is labeled "Informative"?? Fucking how exactly? Is it supposed to be some kind of informative or topical comment for SSH or are conservatives supposed to learn something?

Learn what getting off topic actually means. Can't fucking believe I had to spell it out.

Re: How unwoke

[ArmoredDragon]

I don't think that has anything to do with trans, rather the whole "inclusive language" crap that, among other things, seeks to delete words from the English language on behalf of people who like to be offended so they can use each incident for points towards winning the oppression olympics.

It's a crock of shit, of course.

Re:

[Mes]

Well someone has to think about the children!

um, wait maybe thats not uh....

Re:

[silverdr]

No... it should be Perdaughter!

... but on the second thought it's actually correct because only men do nefarious things, right?

Re:SSH compromised

[ArchieBunker]

That's it I'm switching back to telnet.

Re:

[thegarbz]

Amateurs. I just call up someone sitting at the computer I want to log into and tell them my password over the phone.

Re:

[OtisSnerd]

And I've actually done this a few times, for a system that wasn't connected to the network.

I've been retired now for over eight years, but before I retired there were a few times that I had to do this when the system that controlled the door swipes and locks had crashed, as one of the mainframe operators was previously a network admin at another job. Walking him through rebooting and logging into an ancient RedHat 8 (NOT RHEL, the original RedHat 8 Linux) got it operating again. I had added an account with

Re:SSH compromised

[jd]

If you use .hosts files, your password can't be sniffed...

Re:

[Anonymous Coward]

whilst true, you know that lazy junior admin has "* *" in their .rhosts so you don't need a stinkin' password...

Re:SSH compromised

[jd]

NASA didn't do * *, but it did use login and rhosts files for a very long time for "security reasons". (They claimed SSH was not approved for government use.)

As a result, their fileservers were often used by hackers to provide torrents.

Patch?

[Opportunist]

The article is pretty light on details, what about the mitigation of the problem?

Re:

[Pentium100]

Disable that algorithm I guess.

Re:Patch?

[jd]

A scanner is available for detecting vulnetability: https://terrapin-attack.com/ [terrapin-attack.com]

OpenSSH has released a patch:
https://lwn.net/ml/oss-securit... [lwn.net]
https://lwn.net/Articles/95568... [lwn.net]

I imagine distributions are building fresh binaries now, some may have already released them. The others won't be far behind.

I can find no news about a Microsoft patch, so Windows machines (which now include SSH) will remain vulnerable.

Re: Patch?

[pitch2cv]

Upstream had been patched, so keep an eye on distro for security updates:
https://github.com/openssh/ope... [github.com]

Now again, like last month, the issue will persist in devices that cannot be upgraded, that never receive (firmware?) updates..

Re: Patch?

[FudRucker]

it is not ssh in itself, those two apps "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC" are vulnerable to that terrapin malware, i never heard of them because i dont use ssh much, i am more of an ftp kind of guy when it comes to moving files around

Re: Patch?

[nicubunu]

"ChaCha20-Poly1305" is not an app, but one of the multiple encryption algorithms that can be used by SSH. Mitigation is simple: just use a different encryption or update SSH. current version is fixed.

Re:

[Anonymous Coward]

More than likely you have the cipher enabled. Check with "ssh -Q cipher":

# ssh -Q cipher 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com #

Re:

[Bu11etmagnet]

> "ChaCha20-Poly1305" is not an app, but one of the multiple encryption algorithms that can be used by SSH. Mitigation is simple: just use a different encryption

I already use triple-ROT13

Re:

[jhuebel]

In fact, SSH does have file transfer functionality natively. It's called "scp".

Re:

[iAmWaySmarterThanYou]

Yes but that's Scp. "Cp over ssh". Ssh itself is just the secure connection and -usually- involves invoking a shell thus "(S)ecure (SH)ell".
With no other parameters or options enabled that's what it does.

Re:

[gweihir]

With no parameters, ssh does nothing...

Re:

[ls671]

ftp doesn't work over ssh as far as I know since it uses multiple random ports. You can use sftp which is just a subset of ssh and comes with the openssh server or simply use scp (again included with openssh) to move file around. So, for many years, I have in fact being using ssh to move file around. ssh can also execute remote commands so moving a file a file with a pure ssh command would be something like:
cat filename | ssh remoteserver cat > filename

scp and sftp are like wrappers to be more convenien

Re:

[Tarlus]

You can tunnel active and passive FTP through SSH. It's just not as elegant as SFTP.

Re: Patch?

[jabuzz]

Or if you are on a Linux host you can use sshfs to just mount random remote directories on your workstation and get on with life.

Re:

[Waffle Iron]

Lest we forget, for the ultimate in file handling convenience, there's also sshfs.

Re:

[iAmWaySmarterThanYou]

You can run ftp over an ssh tunnel. It just sucks to set up but Google is your friend. I definitely would recommend scp, bcp, rsync, or any of several other programs over ftp but there are situations where ftp is a business requirement outside your control so negotiating with the other party to tunnel over ssh is your best bet there.

Yes you can cat a file through an ssh pipe but I wouldn't try that with a binary file without extra options or multiple files. You also don't get a way to restart failed files

Re:

[fluffernutter]

How many situations are there where you need to ssh to SYSTEM1 so it can forward an FTP connection to SYSTEM2? If you need to transfer files to SYSTEM1 and you have access to ssh why not just use sftp?

Re:

[gweihir]

SSH does direct moving of files (scp) and secure FTP (sftp), which is not ftp over ssh, but ssh replacing ftp. Incidentally, ssh also does remote execution of commands. Login is really just one of several functions of ssh.

Re:

[Tarlus]

FTP works very well if you aren't worried about privacy. (Uploading graphics and HTML files to a public web server, for instance.)

Re: Patch?

[pitch2cv]

Hell yea. Let's ftp because we can. And disregard its RFC is almost 40 years old and predates NAT and firewalls. Let"s make the client listen to connections from the server, mingle the files and not care about byte-size either way. Dropped a bit here or there? Nobody will notice, and with the fast new connection you might not even notice the dozen connections (literally!!) for one file transfer.

What could possibly go wrong.

Re:

[gweihir]

Simply disable Poly1305 and CBC-encrypt-then-MAC. Although Openssh does not seem to have any CBC in the default config and while ChaCha20-poly1305 is in there, it does not seem to be used by default.

Hence doing nothing may already be enough.

Re:

[Opportunist]

Erh.... ChaCha20-poly1305 is active by default in OpenSSH [iacr.org] and afaik in pretty much every Distri out there? (Can only conform for Debian 12 and RHEL 8 for now).

(just search for OpenSSH in the document, there's only one occurrence reading "In addition, ChaCha20-Poly1305 is the default AEAD scheme in OpenSSH, WireGuard, OTRv4, and the Bitcoin Lightning Network."

But that second part of that statement made me curious, so I dug a bit deeper and it seems that ChaCha is the default Cipher/MAC for "the bitcoin p2p n [ycombinator.com]

Re:

[gweihir]

Hmm. The server I tested it against does not have it at all. My client had it, now disabled. Both Debian oldoldstable. No idea why the difference. Maybe I did not compile it into the kernel on the server.

Re:

[Opportunist]

I just checked my client ... I barely even dare say what it would have accepted. I didn't know 3des is still even in OpenSSH...

Server is only AES. If you control both sides of the communication, it's pretty trivial to dictate the supported ciphers. Yeah, I was lazy, I know, very bad practice...

Re:

[gweihir]

Ooops ;-)

I did find why no ChaCha/poly-1305 on my servers. Apparently there were concerns regarding the NSA for some ciphers, so I restricted the cipher-suite a few years ago and these also went out the window as side-effect.

Re:

[Opportunist]

(tinfoil-hat on)
Think it may have been the NSA's doing, that they deliberately kept this little tidbit in so they could MitM SSH conversations? Did they also infiltrate bitcoin operations and convince them to use their "broken" cipher so they can monitor them with ease?
(tinfoil-hat off)

I love messing with the minds of conspiracy loons.

Re:

[gweihir]

Hehehehe, nice!

Re:

[Opportunist]

I'm pretty sure there's some "secret" society out there doing a social experiment where its members meet once a month and try to come up with a more harebrained conspiracy scheme in the quest of finding one that finally nobody believes.

So far, they were unsuccessful.

Re:

[gweihir]

Have a look at small and large cults (a.k.a. "religion") for some incredible extremes of what people are willing to believe. I do not think some of that crap can even be topped. Language is just not powerful enough.

Re:

[Opportunist]

There is a nontrivial overlap between "people who are religious" and "people who believe harebrained conspiracy stories". It really does look like the latter group is a subset of the first.

I guess the logic is "you believe one bullshit story, you can as well believe any".

Re:

[gweihir]

True, that. Basically "He is the messiah! I must know, I have followed a few!"

The only addition I have is that "religion" comes in a few non-standard forms like anti-vaxxers or physicalists or even some political leanings.

Re:

[Opportunist]

Let's replace "religion" with "dogma". Whether people are impervious to logic and reason is not dependent on their delusion being supernatural based.

Re:

[gweihir]

I fully agree to that. "Dogma" and "dogmatic" captures this effect very well.

Not the defaults

[gweihir]

At least for OpenSSH these seem not to be defaults.

Re:

[gweihir]

Ok, I checked again. For whatever reasons, I do not have chacha-poly1305 active on my servers (it was not disabled in the config), just on one client. Hence a test-login did not give me that combo at all. Self-login on that client did. So definitely make sure to disable.

Re:

[gweihir]

And one more: I restricted the ciphers in my servers a few years back because concerns about the NSA and chacha-poly1305 got disabled as a side-effect as well.

My apologies. I should do better fact checking. Next time.

Not FIPS approved

[dragonworks2050]

Maybe there's actually some logic to the lengthy review and validation process. Even if there are NSA backdoors in the approved stuff there's incentive to make them more difficult to exploit considering the immense impact of having to change them.

So what's the mod to sshd_config?

[RemindMeLater]

ffs, just tell us the config flag to set to work around this bug.

Re:

[Sven77]

Ciphers -chacha20-poly1305@openssh.com

It's a SSH protocol bug, patch other programs too

[Anonymous Coward]

This is an SSH protocol vulnerability, not just a bug in OpenSSH, so don't forget to patch or reconfigure all your other SSH servers and clients (like on your routers and firewalls), libraries (e.g. libssh/libssh2), and Go/Python/Rust programs that have SSH statically built in.

https://terrapin-attack.com/patches.html [terrapin-attack.com]

Some other SSH implementations have severe exploits enabled by this vulnerability, like being able to log in as another user.