search

janmojzis / tinyssh

TinySSH is small server (less than 100000 words of code)
Creative Commons Zero v1.0 Universal
1.44k stars 79 forks source link

CVE-2023-48795 / Terrapin Attack #81

Closed carnil closed 11 months ago

carnil commented 11 months ago

Hi

tinyssh seems prone to the Terrapin Attack (CVE-2023-48795) as well.

Details on: https://terrapin-attack.com/

Testing a recent version:

================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-tinyssh_20230101-3 cWKeTzJf

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: false

==> The scanned peer is VULNERABLE to Terrapin.

Note: This tool is provided as is, with no warranty whatsoever. It determines
      the vulnerability of a peer by checking the supported algorithms and
      support for strict key exchange. It may falsely claim a peer to be
      vulnerable if the vendor supports countermeasures other than strict key
      exchange.

For more details visit our website available at https://terrapin-attack.com
janmojzis commented 11 months ago

implementation kex-strict-s-v00@openssh.com: https://github.com/janmojzis/tinyssh/pull/82

janmojzis commented 11 months ago

'Terrapin Attack' allows the attacker MITM attack, when they can drop some SSH packets without the server noticing it.

The worst impact of the attack for SSH key-exchange protocol is that the attacker can drop some extension SSH packets such as EXT_INFO and downgrade the connection's security.

Tinyssh does not support any such extension, so downgrade attack is simply impossible by design. And even if attacker injects some packet drops, it will reach that the connection will be at most interrupted.

In summary, Tinyssh can't be exploited throughout this vulnerability, but SSH key-exchange design is vulnerable. Openssh developers released an 'strict-key' key exchange kex-strict-s-v00@openssh.com (and kex-strict-c-v00@openssh.com for the client) which solves this problem. In TinySSH implemented here: https://github.com/janmojzis/tinyssh/issues/82 and will be included in the next release 20240101.