Prefix truncation MITM attack on SSH protocol — Terrapin

CVE-2023-48795 describes a prefix truncation attack on the SSH (Secure Shell) protocol.

The vulnerability is called Terrapin. Why Terrapin? Terrapin is a small North American turtle (shell, get it?).

Reminds me of my Alma Mater, the University of Maryland, College Park. The college football team is called Maryland Terrapins, as diamondback terrapins are endemic to the Chesapeake Bay region.

CVE-2023-48795 has been classified as moderate severity as it requires an active Man-in-the-Middle (MITM) who can intercept and modify the connection’s traffic at the TCP/IP layer.

By manipulating sequence numbers during the ssh handshake, an attacker can remove the initial messages (called the prefix, and hence prefix truncation) on the secure channel without causing MAC integrity check to fail.

More info at

I asked ChatGPT 4.0 and Bard this question.

In ssh Terrapin attack, if attackers remove leading bytes and forge messages or inject malicious data, wouldn’t integrity verification fail?

ChatGPT 4.0 replied:

In the SSH Terrapin attack, even if attackers remove leading bytes and forge or inject malicious data, the integrity verification might not immediately fail. This is due to the specific manipulation of sequence numbers and the use of certain ciphers where integrity checks are performed in a way that can be evaded under certain conditions. The attack strategically manipulates the SSH handshake process to avoid immediate detection, allowing the truncated or altered packets to be processed without raising immediate errors.

Bard replied:

Yes, you’re right. In a secure implementation of SSH, integrity verification should indeed fail if attackers tamper with the message content, including removing leading bytes or injecting malicious data.

Here’s a breakdown of how integrity verification works in SSH and how attacks like Terrapin attempted to circumvent it:

Integrity Verification in SSH:

  • Message Authentication Codes (MACs):
    Each SSH message is appended with a MAC, calculated using a shared secret key and the message content.
  • Verification:
    Upon receiving a message, the recipient recalculates the MAC and compares it with the received MAC.
  • Mismatch Detection:
    A mismatch indicates tampering, and the recipient should discard the message.

Terrapin Attack (Prior to RFC 8308):

  • Exploited Prefix Predictability:
    Attackers could predict the prefix of certain messages and manipulate the MAC calculation to bypass integrity checks.
  • Manipulation:
    By removing leading bytes and adjusting the MAC accordingly, they could inject malicious data without triggering immediate detection.

RFC 8308 Mitigation:

  • Sequence Number Reset:
    Disrupts prefix predictability by resetting sequence numbers after key exchange.

  • Potential Additional Checks:
    Might also include further integrity checks during the handshake to strengthen detection.

Even with RFC 8308, it’s crucial to employ a layered security approach:

  • Regular software updates
  • Strong authentication methods
  • Access controls
  • Vulnerability scanning
  • Intrusion detection systems

ChatGPT 4.0 vs Bard

Looks like (the free) Bard gave a much better answer.

Leave a Reply

Your email address will not be published. Required fields are marked *