QID 38913

Date Published: 2023-12-28

QID 38913: SSH Prefix Truncation Vulnerability (Terrapin)

The Terrapin attack exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago. Since then, these have been adopted by a wide range of SSH implementations, therefore affecting a majority of current implementations.

QID Detection Logic (Unauthenticated):
This detection attempts to start the SSH key exchange process and examines whether either of the vulnerable ChaCha20-Poly1305 Algorithm or CBC-EtM Algorithm is active. It subsequently verifies whether Strict Key Exchange is enabled. If a target is identified as vulnerable, it indicates that the target supports either of the vulnerable algorithms and lacks support for Strict Key Exchange.

Successful exploitation of the vulnerability may allow an attacker to downgrade the security of an SSH connection when using SSH extension negotiation. The impact in practice heavily depends on the supported extensions. Most commonly, this will impact the security of client authentication when using an RSA public key.

  • CVSS V3 rated as Medium - 5.9 severity.
  • CVSS V2 rated as High - 6.4 severity.
    • Solution
    Customers are advised to refer to the individual vendor advisory for their operating system and install the patch released by the vendor. For more information regarding the vulnerability, please refer to Terrapin Vulnerability

    Vendor References

    CVEs related to QID 38913

    CVE-2023-48795 |
    Software Advisories
    Advisory ID Software Component Link
    OpenWall Security Advisory URL Logo www.openwall.com/lists/oss-security/2023/12/20/3
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].