Terrapin Attack Strikes – Is Your SSH Connection Truly Secure?

by Atharva Shah | December 26, 2023

AccuKnox not only detects Terrapin vulnerabilities, it anticipates them. This in-depth guide highlights how to scan all your distributed workloads using SSH to defend against dynamic cyber threats. Implementation instructions are detailed for proactive measures and advanced screening that bolster your SSH security.

Reading Time: 4 minutes

Researchers from Ruhr University Bochum have shown that when SSH extension negotiation is used, a Terrapin attack can reduce the security of an SSH connection. Although the effect varies depending on the supported extensions, practically everybody might be at risk. 

Over 15 million servers on the public internet are connected using SSH. Approximately 77% of SSH online servers provide at least one practically exploitable mode.

Terrapin is not a straightforward software defect that can be resolved by updating a single library or part. Rather than relying on brute force assaults to sever connections, clients, and servers must be updated. It takes a lot of work to raise awareness across all SSH client and server implementations.

The Terrapin attack is well-planned and stealthy against the SSH (Secure Shell) protocol, targeting the heart of secure network communications. It taints the SSH secure channel by tampering with sequence numbers during the handshake.

This issue allows attackers to exploit less secure authentication methods and disable key defenses against keyboard timing attacks, potentially compromising connection security. For any workflow that relies on Secure Shell (SSH) for secure access, defending against such attacks is crucial for maintaining digital infrastructure integrity. 

Cyber threats constantly evolve, with adversaries exploiting vulnerabilities to compromise sensitive information and jeopardize network communications.  AccuKnox is a steadfast defender of digital assets in the face of increasing cyberattacks. AccuKnox CNAPP is not just a security solution. Our defense toolkit improves the security of your networks and workloads against evolving cloud attacks.

Understanding Terrapin Attack

The Terrapin attack (CVE-2023-48795) exploits vulnerabilities in the transport layer of the SSH protocol, allowing threat actors to modify sequence numbers during the initial handshake. By tampering with these numbers, attackers can delete communications without detection, compromising the integrity checks to secure the SSH channel. Successful exploitation gives attackers control over encryption mode negotiations, enabling potential downgrades to insecure chaos or CBC modes.

Common Targets and Vulnerabilities Exploited

The attack surface is immense, with around 15 million SSH servers exposed on corporate networks. Systems using ChaCha20-Poly1305 or CBC encryption schemes are especially at risk. Impacts extend beyond compromised channel security, including weakened client authentication methods in some cases. 

Additional SSH implementation vulnerabilities may be unlocked for further exploitation post-intrusion, as demonstrated in OpenSSH 9.5. 

Defending against Terrapin requires comprehensive SSH software patching, disabling obsolete encryption options, and following transport layer security best practices around key exchanges and integrity verification. Even one exposed system could open the door for lateral movement post-exploitation.

Source: https://terrapin-attack.com/

There are 3 CVEs assigned. CVE-2023-48795 is a general exploitable protocol-level SSH vulnerability. CVE-2023-46445 and CVE-2023-46446 are particular to the Python SSH client AsyncSSH, which has an estimated 60,000 daily downloads. 

These flaws can potentially provide unauthorized access to sensitive data or systems. Patches are planned by vendors but not currently available so using AccuKnox’s feature set is your best bet to stay ahead of the curve 

Detecting and Mitigating Terrapin SSH Vulnerability with AccuKnox

Given the significant threat posed by the Terrapin SSH vulnerability to the security of SSH connections, implementing proactive measures is crucial to identify and mitigate potential risks.  

AccuKnox delivers an advanced cybersecurity solution tailored to identify Terrapin attack attempts and strengthen the security posture against them. Equipped with robust SSH vulnerability scanning and real-time alerting, below is the step-by-step procedure to detect and lock down SSH access.

Scan for Terrapin SSH Vulnerability

Prerequisites: Install jq

Ensure that the jq utility is installed using the following command:

apt-get install jq

Prepare the ssh.list File

Create a file named ssh.list containing the list of SSH ports to be scanned.

Execute the AccuKnox Tool (K8TLS)

Use the AccuKnox K8TLS tool with the prepared ssh.list file as input:

docker run –rm -v $PWD:/home/k8tls/data kubearmor/k8tls –infile data/ssh.list –json data/ssh.json

Sample AccuKnox Report Output

{
  “app”: {
    “version”: “v0.1”
  },
  “endpoints”: [
    {
      “svc”: “open-horizon-edge-vm”,
      “host”: “172.174.240.192”,
      “port”: “22”,
      “finding”: [
        {
          “plugin”: “terrapin-ssh”,
          “title”: “terrapin ssh server attack”,
          “description”: “The exploit can allow an attacker to downgrade the connection security by truncating the extension negotiation message (RFC8308) from the transcript. The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks.”,
          “link”: “https://terrapin-attack.com/”,
          “banner”: “SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.5”,
          “supportsChaCha20”: “true”,
          “supportsCbcEtm”: “false”,
          “supportsStrictKex”: “true”,
          “severity”: “high”,
          “remediationEstEffort”: “medium”,
          “solution”: “Both SSH client and server need to be patched to fix the exploit.”,
          “status”: “OK”
        }
      ]
    },
    {
      “svc”: “jfrog-registry-vm”,
      “host”: “4.242.4.41”,
      “port”: “22”,
      “finding”: [
        {
          “plugin”: “terrapin-ssh”,
          “title”: “terrapin ssh server attack”,
          “description”: “The exploit can allow an attacker to downgrade the connection security by truncating the extension negotiation message (RFC8308) from the transcript. The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks.”,
          “link”: “https://terrapin-attack.com/”,
          “banner”: “SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7+esm2”,
          “supportsChaCha20”: “true”,
          “supportsCbcEtm”: “false”,
          “supportsStrictKex”: “false”,
          “severity”: “high”,
          “remediationEstEffort”: “medium”,
          “solution”: “Both SSH client and server need to be patched to fix the exploit.”,
          “status”: “FAIL”
        }
      ]
    },
    // Additional Endpoint Information…
  ]
}

Interpreting the Report

The report contains information on each SSH endpoint scanned, such as the service name, host, and port number. AccuKnox can identify the Terrapin SSH vulnerability and provide details on the attack, its severity, and the remediation steps. 

The report also includes a link to the Terrapin attack site for further reference. It also specifies the SSH banner, the supported encryption modes, and the current vulnerability status. Using AccuKnox tools, proactively identify, and assess the Terrapin SSH vulnerability. 

Perform regular automated scans over all your workloads with AccuKnox to stay ahead of potential threats and prevent privilege escalation or security downgrades. Our zero trust security solutions are built to handle even the most recent attack vectors and vulnerabilities. 

Proactive Measures Against Attacks with Incident Response and Recovery

  • Our Zero Trust CNAPP uses automated vulnerability scanning to painstakingly evaluate SSH setups, quickly detecting weaknesses that might be exploited in a Terrapin attack.
  • This inline mitigation strategy provides a strong shield against prospective threats.
  • AccuKnox vigilantly watches network activity through continuous monitoring and threat detection.
  • Our Cloud-Native app defense tooling is built for real-time threat detection, detecting deviations or odd patterns that may indicate a Terrapin assault.
  • AccuKnox goes beyond detection by intelligently identifying probable Terrapin attack entrance sites.
  • Understanding the attack vectors allows businesses to reinforce these areas ahead of time, improving their overall security posture.

Our solutions specialize in cybersecurity solutions, including CNAPP, which uses advanced technologies such as eBPF filtering and inline mitigation. Our strong partner network allows us to integrate and mesh well with platforms, systems and workloads of various dimensions to aid in incident response and recovery. We recommend trying our CNAPP from the AWS marketplace to ensure smooth business operations amidst potential cloud and network attacks. Cloud security experts have cited it as a tool to maintain reputation and consumer confidence.

A Complete Cloud-Native Application Security Pipleline

Here’s how you stay defended with our scanning and inline mitigation toolset:

🔍 Scan and verify if server ports are TLS enabled.

✅ Check the TLS version, cipher suite, hash, and signature.

🌟 Works seamlessly in k8s and non-containerized environments.

⚡️ No user inputs are needed for k8s scanning. It’s automatic!

🔁 Integrate into CI/CD for early identification of insecure ports.

📊 Detailed JSON reports for easy analysis.

💪 Zero impact on runtime performance.

📜 Ensure compliance with PCI-DSS, HIPAA, and 5G systems.

🚀 Developed to address 5G Security Control checks and more.

The Terrapin incident brought to light weaknesses in secure network connections. Such emerging zero-day attack trends highlight the necessity of taking proactive steps to safeguard digital assets and preserve stakeholder trust. AccuKnox’s CNAPP provides cutting-edge features and technology, such as automated scanning, incident response, increased authentication, encryption, proactive measures, and real-time threat detection, to safeguard against dangers like TNTBotinger Malware and CVEs.

You cannot secure what you cannot see.

Your most sensitive information is stored on endpoints and in the cloud. Protect what is most important from cyberattacks. Real-time autonomous protection for your network's edges.

Ready to get started?

BOOK A DEMO