Des millions de personnes n’ont pas encore patché la vulnérabilité du protocole SSH Terrapin.

Roughly 11 million Internet-exposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks. Once they’re in, attackers compromise the integrity of SSH sessions that form the lynchpin for admins to securely connect to computers inside the cloud and other sensitive environments. In those instances, Terrapin allows attackers to alter or corrupt information transmitted in the SSH data stream during the handshake—the earliest connection stage, when the two parties negotiate the encryption parameters they will use to establish a secure connection. As such, Terrapin represents the first practical cryptographic attack targeting the integrity of the SSH protocol itself. It works by targeting BPP (Binary Packet Protocol), which is designed to ensure AitMs can’t add or drop messages exchanged during the handshake. This prefix truncation attack works when implementations support either the « ChaCha20-Poly1305 » or « CBC with Encrypt-then-MAC, » cipher modes, which, at the time the paper was published, was found in 77 percent of SSH servers. Internet-wide scans performed Tuesday, the last day such data was available at the time of reporting, revealed that more than 11 million IP addresses exposing an SSH server remained vulnerable to Terrapin. Nearly a third of those addresses, 3.3 million, resided in the US, followed by China, Russia, Germany, Russia and Singapore. All of the unpatched implementations tracked by Shadowserver supported the required cipher modes. Only 53 of the vulnerable instances relied on implementations of AsyncSSH, the only app currently known to be seriously affected by Terrapin. Two vulnerabilities the researchers discovered in AsyncSSH allowed Terrapin to (1) downgrade security extensions that organizations to replace the extension information message sent by the server, letting the attacker control its content or (2) control the remote end of an SSH client session by either injecting or removing packets or emulating the shell established. AsyncSSH has patched those two vulnerabilities, tracked as CVE-2023-46445 and CVE-2023-46446, in addition to CVE-2023-48795, the Terrapin vulnerability affecting the SSH protocol. It appears the overwhelming majority of AsyncSSH users have installed the patches.
Roughly 11 million Internet-exposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks. Once they’re in, attackers compromise the integrity of SSH sessions that form the lynchpin for admins to securely connect to computers inside the cloud and other sensitive environments. In those instances, Terrapin allows attackers to alter or corrupt information transmitted in the SSH data stream during the handshake—the earliest connection stage, when the two parties negotiate the encryption parameters they will use to establish a secure connection. As such, Terrapin represents the first practical cryptographic attack targeting the integrity of the SSH protocol itself. It works by targeting BPP (Binary Packet Protocol), which is designed to ensure AitMs can’t add or drop messages exchanged during the handshake. This prefix truncation attack works when implementations support either the « ChaCha20-Poly1305 » or « CBC with Encrypt-then-MAC, » cipher modes, which, at the time the paper was published, was found in 77 percent of SSH servers. Internet-wide scans performed Tuesday, the last day such data was available at the time of reporting, revealed that more than 11 million IP addresses exposing an SSH server remained vulnerable to Terrapin. Nearly a third of those addresses, 3.3 million, resided in the US, followed by China, Russia, Germany, Russia and Singapore. All of the unpatched implementations tracked by Shadowserver supported the required cipher modes. Only 53 of the vulnerable instances relied on implementations of AsyncSSH, the only app currently known to be seriously affected by Terrapin. Two vulnerabilities the researchers discovered in AsyncSSH allowed Terrapin to (1) downgrade security extensions that organizations to replace the extension information message sent by the server, letting the attacker control its content or (2) control the remote end of an SSH client session by either injecting or removing packets or emulating the shell established. AsyncSSH has patched those two vulnerabilities, tracked as CVE-2023-46445 and CVE-2023-46446, in addition to CVE-2023-48795, the Terrapin vulnerability affecting the SSH protocol. It appears the overwhelming majority of AsyncSSH users have installed the patches.