11 million SSH servers are at risk of Terrapin attacks, here's how to protect yourself

Almost 11 million SSH servers have been identified as vulnerable to the Terrapin attack method, security researchers have revealed.

Threat monitoring platform Shadowserver released a report on a number of hosts using SSH instances vulnerable to CVE-2023-48795, otherwise known as the Terrapin attack.

Over half of the accessible SSH servers scanned by Shadowserver were identified as vulnerable to the method, a man-in-the-middle (MiTM) attack which breaks the integrity of SSH secure channels.

The report also broke down the number of vulnerable servers by region, showing the US had by far the most unique IP addresses with the vulnerability totalling over 3.1 million. 

Other nations with a large number of vulnerable servers include China (1.3 million), Germany (1 million), and Russia (660,000). 

The Terrapin vulnerability was first disclosed by a team of researchers at the Ruhr University Bochum, Germany, in December 2023.  Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk found new additions to the SSH protocol meant the SSH Binary Packet Protocol was no longer a secure channel.

This would allow for prefix truncation attacks where threat actors can delete certain encrypted packets at the beginning of the SSH channel without the server noticing. 

In their paper outlining the technical details of the attack, Bäumer et al explain how the vulnerability could be put to use by hackers in the future.

“We show that we can fully break SSH extension negotiation (RFC 8308), such that an attacker can downgrade the public key algorithms for user authentication or turn off a new countermeasure against keystroke timing attacks introduced in OpenSSH 9.5,” the paper reads.

How serious is the risk of a Terrapin attack?

Three common vulnerability and exposure (CVE) identifiers were created by the Mitre Corporation following the disclosure and the severity was classified as medium.

James Pickard, head of security testing at IT Governance, told ITPro the 5.9 base score as a result of the exploit requiring a MiTM attack, which relies on the attacker already having access to the network.

“Due to the fact that the attacker has to be in a man-in-the-middle scenario, it partly means the attack complexity is high, making it something that cannot just be exploited from an external connection,” he said. 

The sheer scale of SSH servers that have this vulnerability may still be a cause for concern, however. 

For example, in an internet-wide scan for vulnerable encryption modes the researchers from the Ruhr University Bochum found 77% of SSH servers support an exploitable encryption mode, with 57% listing it as their preferred choice.

Matthew Dowson, cyber security lead at iomart, told ITPro there could be nearly 4 million compromised servers over the coming months if the vulnerability is not addressed.

“If we map this to the 11 million internet exposed SSH servers vulnerable to the Terrapin attack, it may be reasonable to expect that in excess of 3.8m SSH servers could be compromised over the coming months.”

Dowson also warned MiTM attacks could lead to longer-term and more advanced cyber attacks.

“It should also be noted that MiTM attacks are often used as an initial entry point or beachhead for more, long term advanced persistent threat (APT) campaigns within a company’s digital environment”, he said.

“Attacks which obtain items, such as user credentials, can then go on to access numerous assets on the attack surface. In turn, this can lead to data-exfiltration, disruption to production environments or even attackers taking control of whole swathes of IT infrastructure.”

How can businesses protect themselves?

Pickard advised businesses to undergo an evaluation of their network protocols  according to the new vulnerabilities discovered to establish the level of risk they are exposed to.

“Businesses should conduct their own risk assessment based on these vulnerabilities identified. They should consider factors such as what data is being requested and sent, whether the service is publicly accessible, and where the connections are being made from.”

Businesses should also ensure they patch their servers accordingly, Pickard added, although this may be difficult if you are regularly using third-party SSH services.

“To protect themselves, both the client and server must be patched. However, if you are connecting to a third-party SSH service or hosting the SSH connection, it may not be possible for you to check they are both patched. This is where it is important to have a strong supply chain.”

Dowson advised companies make themselves aware of the detection methods that can help identify an MiTM attack, which include observation of  slow or disconnected services, deploying packet inspection, and end point detection tooling.