Author Topic: Nearly 11 million SSH servers vulnerable to new Terrapin attacks  (Read 857 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Nearly 11 million SSH servers vulnerable to new Terrapin attacks
« on: February 23, 2024, 02:14:56 PM »
https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/

Almost 11 million internet-exposed SSH servers are vulnerable to the Terrapin attack that threatens the integrity of some SSH connections.

The Terrapin attack targets the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.

It manipulates sequence numbers during the handshake process to compromise the integrity of the SSH channel, particularly when specific encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC are used.

An attacker could thus downgrade the public key algorithms for user authentication and disable defenses against keystroke timing attacks in OpenSSH 9.5.

A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange.

It is worth noting that threat actors often compromise networks of interest and wait for the right moment to progress their attack.

A recent report by security threat monitoring platform Shadowserver warns that there are nearly 11 million SSH servers on the public web - identified by unique IP addresses, that are vulnerable to Terrapin attacks.

Another issue that i am not sure about how much it affects our CWP servers. Also another thing to look at byt our " Einsteins "

Offline
*****
Re: Nearly 11 million SSH servers vulnerable to new Terrapin attacks
« Reply #1 on: February 23, 2024, 03:15:58 PM »
When I read about Terrapin a few weeks ago, it wasn't a "sky is falling" type of moment for me, as the conditions for exploit are a bit restrictive. On CentOS 7.9, we have:
Code: [Select]
[root@srv]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

Offline
*****
Re: Nearly 11 million SSH servers vulnerable to new Terrapin attacks
« Reply #2 on: March 11, 2024, 03:59:31 PM »
That is a general vulnerability in SSH.

Whether you have CWP or not.

And another good reason to firewall your SSH.


In AlmaLinux 8.x, you have
Code: [Select]
ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021