Terrapin SSH attack: How worried should you be?

Concept art showing locked packlocks with one opened coloured in red, signifying a data breach
(Image credit: Getty Images)

Researchers have discovered ways to mount attacks on the SSH protocol used by millions of servers across the internet that could be used to undermine the security of connections.

The SSH protocol provides secure access to network services, such as remote terminal login and file transfer across organizational networks - and to over 15 million servers on the open internet.

It uses an authenticated key exchange to establish a secure channel between a client and a server, which protects messages sent in either direction, stopping anyone from manipulating or deleting anything.

It’s been around since the mid-90s, and this may be part of the problem: researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk of the Ruhr University Bochum, Germany said that as new features have been added to SSH over time, this has enabled new vulnerabilities, including the one they have called Terrapin.

While the potential for these attacks was already present in the original specification, as new authenticated encryption modes and extension messages were added, these weaknesses grew into exploitable vulnerabilities.

“We show that SSH fails to protect the integrity of the encrypted message stream against meddler-in-the-middle (MitM) attacks,” they said.

“More precisely, we present novel prefix truncation attacks against SSH: We show that the SSH Binary Packet Protocol is not a secure channel because a MitM attacker can delete a chosen number of integrity-protected packets from the beginning of the channel in either or both directions without being detected.”.

In their paper ‘Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation,’ they said there are two root causes that enable these attacks: that the SSH handshake supports optional messages that are not authenticated, and that SSH does not reset message sequence numbers when encryption is enabled.

“We show that as new encryption algorithms and mitigations were added to SSH, the SSH Binary Packet Protocol is no longer a secure channel: SSH channel integrity… is broken for three widely used encryption modes,” the paper reads.

The paper presented four different potential attacks of increasing complexity and impact.

The first of these is ‘sequence number manipulation’ whereby an attacker can increase the receive counters of the server and the client by inserting messages into the handshake.

This is followed by the ‘prefix truncation attack’ that could allow an attacker to delete a chosen number of packets at the beginning of the secure channel without the client or the server detecting this change.

The ‘extension negotiation downgrade attack’ uses prefix truncation to break extension negotiation thereby downgrading the security of the connection, for example turning off protection against keystroke timing attacks.

The most serious potential attack is what the researchers call the ‘rogue extension’ and ‘rogue session’ attacks. In the first, the victim’s extension info message is replaced with one chosen by the attacker. 

The second attack – for which the attacker must have a user account on the same server as the victim - the attacker injects a malicious user authentication message so that the victim logs into a shell controlled by the attacker rather than the victim’s shell, “thereby giving the attacker complete control”.

However, in a question-and-answer blog post the researchers also ask themselves the question ‘I am an admin, should I drop everything and fix this?’ before responding ‘Probably not.’ That’s because the Terrapin attack has some limitations in that it requires an active MitM attacker with the means to intercept and modify the data sent from the client or server.


Whitepaper cover with title and logo over image of female worker wearing glasses with digital screens reflected in them and workstations in the background

(Image credit: Zscaler)

Discover how you can evolve your security strategy with AI-powered threat protection


That’s difficult to achieve on the internet, although it’s more possible on a local network. The attack also requires the use of a vulnerable encryption mode. The researchers said that their scan indicated that at least 77% of SSH servers on the internet supported at least one mode that can be exploited in practice.

The flaw is fixed in the latest version of OpenSSH which was published earlier this week. 

The release notes refer to the Terrapin and state that “while cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection”.

Professor Alan Woodward, a cyber security expert at the University of Surrey said SSH is a protocol/tool that is "often overlooked" but very widely used for remote access. This is what makes any potential vulnerability particularly concerning .

Woodward said the vulnerabilities are not across all of SSH but relate to certain circumstances, cipher suites, and modes.

“There are elements of the attacks that are familiar from previous attacks in other scenarios on other cipher tools. I suspect some of this is because newer ciphers have been added…to various SSH implementations and in doing so the vulnerabilities found have been inadvertently created,” he told ITPro.

And he said that while 77% of internet facing systems have one of these vulnerabilities there is no need to panic. “It’s possible to mitigate or upgrade,” he said.

The researchers said that while there are backward-compatible countermeasures to stop their attacks, the security of the SSH protocol would benefit from “a redesign from scratch”.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.