A recently discovered flaw in New Terrapin could potentially allow attackers to downgrade SSH protocol security

A recently discovered flaw in New Terrapin could potentially allow attackers to downgrade SSH protocol security

Product and Affected Versions

The vulnerability, named Terrapin (CVE-2023-48795, CVSS score: 5.9), impacts a wide range of SSH client and server implementations, including but not limited to OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear.

Severity and CVE ID

The severity of this vulnerability is rated with a CVSS score of 5.9, marked under CVE-2023-48795.

Vulnerability Description

Terrapin introduces the “first ever practically exploitable prefix truncation attack” in the Secure Shell (SSH) cryptographic network protocol. It allows an attacker positioned as an active adversary-in-the-middle (AitM) to compromise the integrity of the secure channel by manipulating sequence numbers during the handshake process. This manipulation permits the removal of specific initial messages without detection by the client or server.

The attack leverages SSH extension negotiation, particularly targeting the truncation of the extension negotiation message (RFC8308) within the transcript. As a consequence, the attacker can downgrade the security of the SSH connection, potentially leading to the utilization of less secure client authentication algorithms and disabling critical countermeasures against keystroke timing attacks, notably observed in OpenSSH 9.5.

The exploit relies on the utilization of a vulnerable encryption mode, such as ChaCha20-Poly1305 or CBC with Encrypt-then-MAC, to compromise the connection’s security.

How Attack Works

By strategically manipulating sequence numbers during the handshake process, the attacker interferes with the exchange of initial messages between the client and server. This manipulation, specifically targeting the extension negotiation message (RFC8308), goes unnoticed, resulting in the compromise of the SSH connection’s security. The downgraded security measures may lead to the usage of less secure authentication algorithms and the deactivation of critical countermeasures against timing attacks, significantly impacting the confidentiality and integrity of the connection.


Maintainers of affected SSH client and server implementations, acknowledging the criticality of this vulnerability, have promptly released patches to mitigate the associated risks. Organizations are strongly advised to apply these patches immediately to safeguard their systems against potential exploitation.


The vulnerability and its impact have been highlighted by security researchers from Ruhr University Bochum, specifically Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk. Additional information and insights into the remediation process can be found in the respective advisories and patches released by the maintainers of affected SSH implementations.