Terrapin attack on SSH: What do you need to know

2023-12-21

Terrapin is a recent prefix truncation attack on SSH that exploits deficiencies in the protocol specification, namely not resetting sequence number and not authenticating certain parts of handshake transcript. The attack requires man-in-the-middle, i.e. a rogue network node that intercepts the traffic. SSH protocol is used to remotely manage servers and IoT devices and is widely spread. In this article we explain how to secure your servers and devices from this attack.

«Bald eagle throws tortoise oil painting» by DALL-E.
«Bald eagle throws tortoise oil painting» by DALL-E.

Table of contents

How to protect your SSH servers

Photo by Ray Hennessy on Unsplash.

According to the paper the attack is possible only if you use vulnerable ciphers and encryption modes: ChaCha20-Poly1305, CTR-EtM, CBC-EtM. Note that the ciphers and the encryption modes themselves are not vulnerable, but their input (sequence number) can be manipulated by the attacker.

To mitigate the attack you either update OpenSSH and Dropbear to the their latest versions (OpenSSH 9.6 and Dropbear 2022.83) or disable the affected ciphers and encryption modes. We will show how to do the latter.

Mitigation for OpenSSH

We will show how to disable the affected ciphers on the example of Debian. We will use Docker to make this reproducible. Then we will verify our configuration using vulnerability scanner provided by the authors of the paper.

# docker run -it --rm debian:latest
# then run the following commands
apt-get update
apt-get install -y wget ssh
mkdir /run/sshd

# check if ssh is vulnerable
/usr/sbin/sshd
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
pkill sshd

# print effective ssh configuration and filter out affected ciphers
# '*-cbc' ciphers should be disabled by default
sshd -T | sed -nr 's/(chacha20-poly1305@openssh\.com,|,chacha20-poly1305@openssh\.com)//gip' >> /etc/ssh/sshd_config

# re-check ssh
/usr/sbin/sshd
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
pkill sshd

Mitigation for Dropbear on Debian

To disable the affected ciphers in Dropbear we need to recompile it. Here we show the steps again using a Docker container for the latest Debian and Terrapin scanner.

# docker run -it --rm debian:latest
# then run the following commands
apt-get update
apt-get install -y git wget build-essential zlib1g-dev
git clone https://github.com/mkj/dropbear
cd dropbear
# here we disable ChaCha20Poly1305 and enable GCM instead
# CBC is disabled by default
env CFLAGS='-DDROPBEAR_CHACHA20POLY1305=0 -DDROPBEAR_ENABLE_GCM_MODE=1' ./configure
make
make install

# check if dropbear is vulnerable
dropbear -R
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
pkill dropbear

Mitigation for Dropbear on OpenWRT

For this Linux distribution you need cross compiler to recompile Dropbear. The easiest way to get it is to use official Docker image.

# docker run -it --rm -v $PWD/bin/:/builder/bin openwrt/sdk:latest
# Substitute 'latest' with your router's architecture.
# All tags are listed on DockerHub: https://hub.docker.com/r/openwrt/sdk/tags
# Then run the following commands.
./scripts/feeds update -a
make defconfig
sed -i 's/.*DROPBEAR_CHACHA20POLY1305.*/# CONFIG_DROPBEAR_CHACHA20POLY1305 is not set/' .config
./scripts/feeds install dropbear
make package/dropbear/compile
make package/index
# the IPK package is in 'bin' directory
# now we will check that dropbear is not vulnerable
# (you don't need to repeat this convoluted command)
env LD_LIBRARY_PATH=./staging_dir/toolchain-x86_64_gcc-12.3.0_musl/lib ./build_dir/target-x86_64_musl/toolchain/.pkgdir/libc/lib/ld-musl-x86_64.so.1 ./staging_dir/target-x86_64_musl/root-x86/usr/sbin/dropbear -R
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22

Upon exit the package will appear in bin directory. Then you copy it to your router and update Dropbear.

Defense in depth

Photo by Julia Solonina on Unsplash.

Disabling perfectly fine ciphers is might be an overkill. Terrapin attack does not break SSH session integrity, it only allows an attacker to disable keystroke timing obfuscation features of OpenSSH. Disabling ChaCha20Poly1305 in Dropbear (which is often used in embedded devices) would result in increased CPU usage: most embedded CPUs do not have hardware acceleration for AES ciphers which will be used instead.

The alternative is to establish SSH connection over a VPN. This would add an additional security layer with its own authenticated encryption and trust establishment method. VPNs are not a silver bullet against cyber attacks but a tool to implement defense-in-depth in your system. Knowing that you have another security layer when some protocol is breached gives you peace of mind and much needed time to implement proper mitigations.

Staex logo.

Staex is a secure public network for IoT devices that can not run a VPN such as smart meters, IP cameras, and EV chargers. Staex encrypts legacy protocols, reduces mobile data usage, and simplifies building networks with complex topologies through its unique multi-hop architecture. Staex is fully zero-trust meaning that no traffic is allowed unless specified by the device owner which makes it more secure than even some private networks. With this, Staex creates an additional separation layer to provide more security for IoT devices on the Internet, also protecting other Internet services from DDoS attacks that are usually executed on millions of IoT machines.

To stay up to date subscribe to our newsletter, follow us on LinkedIn and Twitter for updates and subscribe to our YouTube channel.