Security researchers at Ruhr-University Bochum have discovered a vulnerability in the Secure Shell (SSH) encrypted network protocol that could allow an attacker to reduce the security of the connection by compromising the integrity of the secure channel.
is called eel (CVE-2023-48795, CVSS score: 5.9), the vulnerability is described as “the first ever actually exploitable prefix truncation attack.”
Say researchers Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk.
SSH is a method of securely sending commands to a computer over an unsecured network. It relies on encryption technology to authenticate and encrypt connections between devices.
This is accomplished through a handshake, in which the client and server agree on cryptographic primitives and exchange the keys required to establish a secure channel that provides confidentiality and integrity guarantees.
However, when SSH extension negotiation is used, the security of an SSH connection can be reduced by a bad actor in the position of an Active Adversary in the Middle (AitM), capable of intercepting and modifying traffic on the TCP/IP layer connection.
“This attack can be carried out in practice, allowing an attacker to reduce the security of the connection by truncating the extended negotiation message (RFC8308) in the record,” the researchers explained.
“Truncation may result in the use of less secure client authentication algorithms and disable specific countermeasures against keystroke timing attacks in OpenSSH 9.5.”
Another key prerequisite for launching an attack is to secure the connection using a vulnerable encryption mode such as ChaCha20-Poly1305 or CBC with Encrypt-then-MAC.
“In a real-world scenario, an attacker could exploit this vulnerability to intercept sensitive data or use administrator privileged access to take control of critical systems,” Qualys said. “For organizations with large interconnected networks that provide privileged data access, this The risk is particularly serious.”
This flaw affects many SSH client and server implementations, such as OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear, prompting maintainers to release patches to mitigate potential risks.
“Because SSH servers, especially OpenSSH, are so commonly used in cloud-based enterprise application environments, companies must ensure they take appropriate steps to patch their servers,” said Yair Mizrahi, senior security researcher at JFrog Security Research. The Hacker News .
“However, a vulnerable client connecting to a patched server will still render the connection vulnerable. Therefore, companies must also take steps to identify every vulnerable situation across the entire infrastructure and apply mitigation immediately measure. “
