CGA-v7c4-rcx6-g4vr
Prefix Truncation Attack vulnerability in crypto (Go)
What is CGA-v7c4-rcx6-g4vr About?
Terrapin is a prefix truncation attack targeting the SSH protocol, specifically affecting ChaCha20-Poly1305 and Encrypt-then-MAC algorithms. Attackers can remove arbitrary messages at the beginning of the secure channel without detection, leading to security downgrades or exploitation of other flaws. Exploitation is complex, requiring a Man-in-the-Middle position and specific protocol manipulation, generally affecting widely adopted SSH implementations.
Affected Software
- golang.org/x/crypto
- <0.17.0
- <0.0.0-20231218163308-9d2ee975ef9f
- >0.1.0, <0.17.0
- russh
- <0.40.2
- paramiko
- >2.5.0, <3.4.0
Technical Details
Terrapin is a prefix truncation attack that manipulates sequence numbers during the SSH handshake. The attack exploits a flaw where SSH_MSG_IGNORE messages injected by an attacker during the initial key exchange are not authenticated and the implicit sequence numbers are only checked after the key exchange. An attacker, in a Man-in-the-Middle (MitM) position, can inject an arbitrary number of SSH_MSG_IGNORE messages. Once the key exchange concludes, the attacker removes an equivalent number of legitimate messages sent by the client or server from the beginning of the secure channel. This sequence number manipulation allows the attacker to silently truncate the connection's initial messages. This is particularly effective against ChaCha20-Poly1305, which lacks internal state beyond sequence numbers, and Encrypt-then-MAC when used with CBC ciphers, enabling security downgrades (e.g., disabling SSH_MSG_EXT_INFO and other countermeasures) or exploiting implementation flaws.
What is the Impact of CGA-v7c4-rcx6-g4vr?
Successful exploitation may allow attackers to downgrade connection security, bypass security mitigations, disable attack countermeasures, or exploit other implementation flaws by silently truncating initial protocol messages.
What is the Exploitability of CGA-v7c4-rcx6-g4vr?
Exploitation of the Terrapin attack is highly complex, requiring a Man-in-the-Middle (MitM) position between the SSH client and server. Attackers must actively intercept and manipulate the SSH handshake traffic. No authentication is required at the application layer, as the attack targets the underlying SSH protocol messages before a secure channel is fully established. No specific privileges are needed on the endpoints, only network interception capabilities. This is inherently a remote attack. Special conditions include the use of vulnerable ciphers (ChaCha20-Poly1305 or Encrypt-then-MAC with CBC) by both the client and server. The likelihood of exploitation increases in environments where SSH traffic is easily intercepted and where SSH implementations have not been patched with 'strict kex' countermeasures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| TrixSec | Link | A Python-based tool to check for vulnerabilities in OpenSSH installations on local or remote systems by scanning specific IPs. It checks if the OpenSSH version is affected by CVE-2023-48795 |
| Dr0xharakiri | Link | Python tool to identify SSH servers potentially vulnerable to CVE-2023-48795 (Terrapin) by analyzing OpenSSH version banners via netcat. Useful for internal audits, penetration testing, and... |
What are the Available Fixes for CGA-v7c4-rcx6-g4vr?
About the Fix from Resolved Security
This patch introduces a "strict KEX" mode that ensures SSH packet sequence numbers are reset on both sides immediately after a key exchange (msgNewKeys), and blocks potentially dangerous ignored or debug packets during initial key exchange when strict mode is active. By preventing attackers from manipulating packet sequence numbers during rekeying, it addresses the vulnerability described in CVE-2023-48795 (“Terrapin”), which allowed prefix truncation and injection attacks on SSH connections.
Available Upgrade Options
- russh
- <0.40.2 → Upgrade to 0.40.2
- paramiko
- >2.5.0, <3.4.0 → Upgrade to 3.4.0
- golang.org/x/crypto
- <0.0.0-20231218163308-9d2ee975ef9f → Upgrade to 0.0.0-20231218163308-9d2ee975ef9f
- golang.org/x/crypto
- >0.1.0, <0.17.0 → Upgrade to 0.17.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.terrapin-attack.com
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE
- https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
- https://news.ycombinator.com/item?id=38685286
- https://bugzilla.redhat.com/show_bug.cgi?id=2254210
- https://www.debian.org/security/2023/dsa-5588
- https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
- https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
- https://news.ycombinator.com/item?id=38732005
What are Similar Vulnerabilities to CGA-v7c4-rcx6-g4vr?
Similar Vulnerabilities: CVE-2020-14387 , CVE-2016-10705 , CVE-2019-14838 , CVE-2019-14839 , CVE-2019-14840
