Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Dec 2023 17:08:14 +0100
From: Fabian Bäumer <fabian.baeumer@....de>
To: oss-security@...ts.openwall.com
Cc: Marcus Brinkmann <marcus.brinkmann@....de>
Subject: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification
 (Terrapin Attack)

### Summary

Parts of the SSH specification are vulnerable to a novel prefix 
truncation attack (a.k.a. Terrapin attack), which allows a 
man-in-the-middle attacker to strip an arbitrary number of messages 
right after the initial key exchange, breaking SSH extension negotiation 
(RFC8308) in the process and thus downgrading connection security.

### Mitigations

To mitigate this protocol vulnerability, OpenSSH suggested a so-called 
"strict kex" which alters the SSH handshake to ensure a 
Man-in-the-Middle attacker cannot introduce unauthenticated messages as 
well as convey sequence number manipulation across handshakes. Support 
for strict key exchange has been added to a variety of SSH 
implementations, including OpenSSH itself, PuTTY, libssh, and more.

**Warning: To take effect, both the client and server must support this 
countermeasure.**

As a stop-gap measure, peers may also (temporarily) disable the affected 
algorithms and use unaffected alternatives like AES-GCM instead until 
patches are available.

### Details

The SSH specifications of ChaCha20-Poly1305 
(chacha20-poly1305@...nssh.com) and Encrypt-then-MAC (*-etm@...nssh.com 
MACs) are vulnerable against an arbitrary prefix truncation attack 
(a.k.a. Terrapin attack). This allows for an extension negotiation 
downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message 
after SSH_MSG_NEWKEYS, downgrading security, and disabling attack 
countermeasures in some versions of OpenSSH. When targeting 
Encrypt-then-MAC, this attack requires the use of a CBC cipher to be 
practically exploitable due to the internal workings of the cipher mode. 
Additionally, this novel attack technique can be used to exploit 
previously unexploitable implementation flaws in a Man-in-the-Middle 
scenario.

The attack works by an attacker injecting an arbitrary number of 
SSH_MSG_IGNORE messages during the initial key exchange and consequently 
removing the same number of messages just after the initial key exchange 
has concluded. This is possible due to missing authentication of the 
excess SSH_MSG_IGNORE messages and the fact that the implicit sequence 
numbers used within the SSH protocol are only checked after the initial 
key exchange.

In the case of ChaCha20-Poly1305, the attack is guaranteed to work on 
every connection as this cipher does not maintain an internal state 
other than the message's sequence number. In the case of 
Encrypt-Then-MAC, practical exploitation requires the use of a CBC 
cipher; while theoretical integrity is broken for all ciphers when using 
this mode, message processing will fail at the application layer for CTR 
and stream ciphers.

For more details and a pre-print of the associated research paper, see 
https://terrapin-attack.com.

### Impact

This attack targets the specification of ChaCha20-Poly1305 
(chacha20-poly1305@...nssh.com) and Encrypt-then-MAC 
(*-etm@...nssh.com), which are widely adopted by well-known SSH 
implementations and can be considered de-facto standard. These 
algorithms can be practically exploited; however, in the case of 
Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a 
consequence, this attack works against all well-behaving SSH 
implementations supporting either of those algorithms and can be used to 
downgrade (but not fully strip) connection security in case SSH 
extension negotiation (RFC8308) is supported. The attack may also enable 
attackers to exploit certain implementation flaws in a man-in-the-middle 
(MitM) scenario.

-- 
M. Sc. Fabian Bäumer

Chair for Network and Data Security
Ruhr University Bochum
Universitätsstr. 150, Building MC 4/145
44780 Bochum
Germany


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5977 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.