Ivan
Posted on December 27, 2023
Terrapin is a recent prefix truncation attack on SSH that exploits deficiencies in the protocol specification, namely not resetting sequence number and not authenticating certain parts of handshake transcript. The attack requires man-in-the-middle, i.e. a rogue network node that intercepts the traffic. SSH protocol is used to remotely manage servers and IoT devices and is widely spread. In this article we explain how to secure your servers and devices from this attack.
Table of contents
- How to protect your SSH servers
- Mitigation for OpenSSH
- Mitigation for Dropbear on Debian
- Mitigation for Dropbear on OpenWRT
- Defense in depth
How to protect your SSH servers
According to the paper the attack is possible only if you use vulnerable ciphers and encryption modes: ChaCha20-Poly1305, CTR-EtM, CBC-EtM. Note that the ciphers and the encryption modes themselves are not vulnerable, but their input (sequence number) can be manipulated by the attacker.
To mitigate the attack you either update OpenSSH and Dropbear to the their latest versions (OpenSSH 9.6 and Dropbear 2022.83) or disable the affected ciphers and encryption modes. We will show how to do the latter.
Mitigation for OpenSSH
We will show how to disable the affected ciphers on the example of Debian. We will use Docker to make this reproducible. Then we will verify our configuration using vulnerability scanner provided by the authors of the paper.
# docker run -it --rm debian:latest
# then run the following commands
apt-get update
apt-get install -y wget ssh
mkdir /run/sshd
# check if ssh is vulnerable
/usr/sbin/sshd
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
pkill sshd
# print effective ssh configuration and filter out affected ciphers
# '*-cbc' ciphers should be disabled by default
sshd -T | sed -nr 's/(chacha20-poly1305@openssh\.com,|,chacha20-poly1305@openssh\.com)//gip' >> /etc/ssh/sshd_config
# re-check ssh
/usr/sbin/sshd
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
pkill sshd
Mitigation for Dropbear on Debian
To disable the affected ciphers in Dropbear we need to recompile it. Here we show the steps again using a Docker container for the latest Debian and Terrapin scanner.
# docker run -it --rm debian:latest
# then run the following commands
apt-get update
apt-get install -y git wget build-essential zlib1g-dev
git clone https://github.com/mkj/dropbear
cd dropbear
# here we disable ChaCha20Poly1305 and enable GCM instead
# CBC is disabled by default
env CFLAGS='-DDROPBEAR_CHACHA20POLY1305=0 -DDROPBEAR_ENABLE_GCM_MODE=1' ./configure
make
make install
# check if dropbear is vulnerable
dropbear -R
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
pkill dropbear
Mitigation for Dropbear on OpenWRT
For this Linux distribution you need cross compiler to recompile Dropbear. The easiest way to get it is to use official Docker image.
# docker run -it --rm -v $PWD/bin/:/builder/bin openwrt/sdk:latest
# Substitute 'latest' with your router's architecture.
# All tags are listed on DockerHub: https://hub.docker.com/r/openwrt/sdk/tags
# Then run the following commands.
./scripts/feeds update -a
make defconfig
sed -i 's/.*DROPBEAR_CHACHA20POLY1305.*/# CONFIG_DROPBEAR_CHACHA20POLY1305 is not set/' .config
./scripts/feeds install dropbear
make package/dropbear/compile
make package/index
# the IPK package is in 'bin' directory
# now we will check that dropbear is not vulnerable
# (you don't need to repeat this convoluted command)
env LD_LIBRARY_PATH=./staging_dir/toolchain-x86_64_gcc-12.3.0_musl/lib ./build_dir/target-x86_64_musl/toolchain/.pkgdir/libc/lib/ld-musl-x86_64.so.1 ./staging_dir/target-x86_64_musl/root-x86/usr/sbin/dropbear -R
wget https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64
chmod +x Terrapin_Scanner_Linux_amd64
./Terrapin_Scanner_Linux_amd64 -connect 127.0.0.1:22
Upon exit the package will appear in bin
directory. Then you copy it to your router and update Dropbear.
Defense in depth
Disabling perfectly fine ciphers might be an overkill. Terrapin attack does not break SSH session integrity, it only allows an attacker to disable keystroke timing obfuscation features of OpenSSH. Disabling ChaCha20Poly1305 in Dropbear (which is often used in embedded devices) would result in increased CPU usage: most embedded CPUs do not have hardware acceleration for AES ciphers which will be used instead.
The alternative is to establish SSH connection over a VPN. This would add an additional security layer with its own authenticated encryption and trust establishment method. VPNs are not a silver bullet against cyber attacks but a tool to implement defense-in-depth in your system. Knowing that you have another security layer when some protocol is breached gives you peace of mind and much needed time to implement proper mitigations.
We at Staex help our clients make IoT devices first-class citizens in their private networks, protect from common attacks, reduce mobile data usage, and enable audacious use cases that were not possible before. To learn more about our product please visit this page.
Posted on December 27, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.