Roughly 11 million Internet-exposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks.
Once they're in, attackers compromise the integrity of SSH sessions that form the lynchpin for admins to securely connect to computers inside the cloud and other sensitive environments.
Terrapin, as the vulnerability has been named, came to light two weeks ago in a research paper published by academic researchers.
Tracked as CVE-2023-48795, the attack the researchers devised works when attackers have an adversary-in-the-middle attack, such as when they're positioned on the same local network and can secretly intercept communications and assume the identity of both the recipient and the sender.
In those instances, Terrapin allows attackers to alter or corrupt information transmitted in the SSH data stream during the handshake-the earliest connection stage, when the two parties negotiate the encryption parameters they will use to establish a secure connection.
Terrapin represents the first practical cryptographic attack targeting the integrity of the SSH protocol itself.
Internet-wide scans performed Tuesday, the last day such data was available at the time of reporting, revealed that more than 11 million IP addresses exposing an SSH server remained vulnerable to Terrapin.
Only 53 of the vulnerable instances relied on implementations of AsyncSSH, the only app currently known to be seriously affected by Terrapin.
Two vulnerabilities the researchers discovered in AsyncSSH allowed Terrapin to downgrade security extensions that organizations to replace the extension information message sent by the server, letting the attacker control its content or control the remote end of an SSH client session by either injecting or removing packets or emulating the shell established.
AsyncSSH has patched those two vulnerabilities, tracked as CVE-2023-46445 and CVE-2023-46446, in addition to CVE-2023-48795, the Terrapin vulnerability affecting the SSH protocol.
The requirement of an AitM position and the lack of currently known practical attacks made possible by Terrapin are important mitigating factors that some critics say have been lost in some news coverage.
That said, at this stage, there are few good reasons not to have patched the protocol flaw by now, since patches became widely available about one to two weeks ago.
While it's unlikely that Terrapin will ever be mass-exploited, the potential remains for it to be used in targeted attacks by more sophisticated attackers, such as those backed by nation-states.
Despite earlier versions of AsyncSSH being the only known application vulnerable to practical Terrapin attacks, the researchers spent little time analyzing other implementations.
Adversaries with more time, resources, and motivation could identify other vulnerable implementations.
Patching Terrapin isn't straightforward, because of the sheer number of implementations affected and the necessity that apps running on both the admin client and the server be patched.
The researchers listed the following implementations as vulnerable and included links to patches when available.
Terrapin is no Citrix Bleed , CVE-2022-47966, MoveIT, CVE-2021-22986, or CVE-2023-49103, or CVE-2021-22986, which were some of the most exploited vulnerabilities of 2023 that led to the compromise of millions of servers.
There are no known reports of Terrapin patches causing side effects.
Admins would do well to patch sooner rather than later.
This Cyber News was published on packetstormsecurity.com. Publication date: Thu, 04 Jan 2024 13:43:05 +0000