CVE-2023-48795

UNKNOWN

Published 2023-12-18T00:00:00.000Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-48795. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Available Exploits

No exploits available for this CVE.

Related News

CVE-2023-48795 Impact of Terrapin SSH Attack (Severity: MEDIUM)

Related content: PAN-SA-2025-0013 Chromium: Monthly Vulnerability Update (July 2025) (Severity: HIGH) CVE-2024-5916 PAN-OS: Cleartext Exposure of External System Secrets (Severity: MEDIUM) CVE-2025-4227 GlobalProtect App: Interception in Endpoint Traffic Poli…

Paloaltonetworks.com 2025-07-15 21:25

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin

GHSA-45x7-px36-x8w8

Advisory Details

### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC (*[email protected] MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ### Impact This attack targets the specification of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC (*[email protected]), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.

Affected Packages

crates.io russh

ECOSYSTEM: ≥0 <0.40.2

Go golang.org/x/crypto

ECOSYSTEM: ≥0.1.0 <0.17.0

PyPI paramiko

ECOSYSTEM: ≥2.5.0 <3.4.0

Go golang.org/x/crypto

ECOSYSTEM: ≥0 <0.0.0-20231218163308-9d2ee975ef9f

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

WEB https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-48795

WEB https://github.com/ssh-mitm/ssh-mitm/issues/165

WEB https://github.com/janmojzis/tinyssh/issues/81

WEB https://github.com/proftpd/proftpd/issues/456

WEB https://github.com/hierynomus/sshj/issues/916

WEB https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773

WEB https://github.com/paramiko/paramiko/issues/2337

WEB https://github.com/cyd01/KiTTY/issues/520

WEB https://github.com/PowerShell/Win32-OpenSSH/issues/2189

WEB https://github.com/mwiede/jsch/issues/457

WEB https://github.com/apache/mina-sshd/issues/445

WEB https://github.com/libssh2/libssh2/pull/1291

WEB https://github.com/mwiede/jsch/pull/461

WEB https://github.com/NixOS/nixpkgs/pull/275249

WEB https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0

WEB https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab

WEB https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3

WEB https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d

WEB https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951

WEB https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5

WEB https://security-tracker.debian.org/tracker/CVE-2023-48795

WEB https://security-tracker.debian.org/tracker/source-package/libssh2

WEB https://roumenpetrov.info/secsh/#news20231220

WEB https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg

WEB https://security-tracker.debian.org/tracker/source-package/trilead-ssh2

WEB https://security.gentoo.org/glsa/202312-16

WEB https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002

WEB https://oryx-embedded.com/download/#changelog

WEB https://nova.app/releases/#v11.8

WEB https://news.ycombinator.com/item?id=38732005

WEB https://news.ycombinator.com/item?id=38685286

WEB https://news.ycombinator.com/item?id=38684904

WEB https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC

WEB https://matt.ucc.asn.au/dropbear/CHANGES

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP

WEB https://www.vandyke.com/products/securecrt/history.txt

WEB https://www.theregister.com/2023/12/20/terrapin_attack_ssh

WEB https://www.terrapin-attack.com

WEB https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795

WEB https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed

WEB https://www.paramiko.org/changelog.html

WEB https://www.openwall.com/lists/oss-security/2023/12/20/3

WEB https://www.openwall.com/lists/oss-security/2023/12/18/2

WEB https://www.openssh.com/txt/release-9.6

WEB https://www.openssh.com/openbsd.html

WEB https://www.netsarang.com/en/xshell-update-history

WEB https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508

WEB https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc

WEB https://www.debian.org/security/2023/dsa-5588

WEB https://www.debian.org/security/2023/dsa-5586

WEB https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update

WEB https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

WEB https://www.bitvise.com/ssh-server-version-history

WEB https://www.bitvise.com/ssh-client-version-history#933

WEB https://winscp.net/eng/docs/history#6.2.2

WEB https://ubuntu.com/security/CVE-2023-48795

WEB https://twitter.com/TrueSkrillor/status/1736774389725565005

WEB https://thorntech.com/cve-2023-48795-and-sftp-gateway

WEB https://support.apple.com/kb/HT214084

WEB https://security.netapp.com/advisory/ntap-20240105-0004

WEB https://security.gentoo.org/glsa/202312-17

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y

WEB https://github.com/rapier1/hpn-ssh/releases

WEB https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES

WEB https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES

WEB https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES

WEB https://github.com/openssh/openssh-portable/commits/master

WEB https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16

WEB https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15

WEB https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25

WEB https://github.com/erlang/otp/releases/tag/OTP-26.2.1

WEB https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42

WEB https://github.com/drakkan/sftpgo/releases/tag/v2.5.6

WEB https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22

ADVISORY https://github.com/advisories/GHSA-45x7-px36-x8w8

WEB https://github.com/TeraTermProject/teraterm/releases/tag/v5.1

WEB https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta

WEB https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6

WEB https://forum.netgate.com/topic/184941/terrapin-ssh-attack

WEB https://filezilla-project.org/versions.php

WEB https://crates.io/crates/thrussh/versions

WEB https://bugzilla.suse.com/show_bug.cgi?id=1217950

WEB https://bugzilla.redhat.com/show_bug.cgi?id=2254210

WEB https://bugs.gentoo.org/920280

WEB https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack

WEB https://access.redhat.com/security/cve/cve-2023-48795

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA

WEB https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html

WEB https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html

WEB https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html

WEB https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html

WEB https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795

WEB https://help.panic.com/releasenotes/transmit5

WEB https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg

WEB https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ

WEB https://go.dev/issue/64784

WEB https://go.dev/cl/550715

WEB https://gitlab.com/libssh/libssh-mirror/-/tags

WEB https://github.com/warp-tech/russh/releases/tag/v0.40.2

PACKAGE https://github.com/warp-tech/russh

WEB https://github.com/ronf/asyncssh/tags

WEB https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst

WEB http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html

WEB http://seclists.org/fulldisclosure/2024/Mar/21

WEB http://www.openwall.com/lists/oss-security/2023/12/18/3

WEB http://www.openwall.com/lists/oss-security/2023/12/19/5

WEB http://www.openwall.com/lists/oss-security/2023/12/20/3

WEB http://www.openwall.com/lists/oss-security/2024/03/06/3

WEB http://www.openwall.com/lists/oss-security/2024/04/17/8

Advisory provided by GitHub Security Advisory Database. Published: December 18, 2023, Modified: June 24, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post

Reddit • 2 months, 2 weeks ago

ElephantCares

I really need some help/advice/insight. I have a small, low traffic, website. (Pawstalk.net). I am with InMotion Hosting, ShopSite as my shopping cart, and Braintree as my Payment Processor. A couple of years ago, Braintree stopped having any kind of phone support, and contracted with a company called Security Metrics …