Terrapin
Scanner
If you want to check an SSH client or server for its susceptibility to Terrapin, the Ruhr University Bochum team provides a vulnerability scanner.[1]
RUB-NDS/Terrapin-Scanner: This repository contains a simple vulnerability scanner for the Terrapin attack present in the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation". https://github.com/RUB-NDS/Terrapin-Scanner
export $GOPATH=~/.gobin go install github.com/RUB-NDS/Terrapin-Scanner@latest ln -s ../.go/bin/Terrapin-Scanner ~/.bin/Terrapin-Scanner
Scan the SSH server available at localhost port 2222
./Terrapin-Scanner --connect localhost:2222
If no port is specified, the tool will default to port 22 instead
./Terrapin-Scanner --connect localhost
Bad Result
$ Terrapin-Scanner -connect host1.com ================================================================================ ==================================== Report ==================================== ================================================================================ Remote Banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4 ChaCha20-Poly1305 support: true CBC-EtM support: false Strict key exchange support: false The scanned peer is VULNERABLE to Terrapin. Note: This tool is provided as is, with no warranty whatsoever. It determines the vulnerability of a peer by checking the supported algorithms and support for strict key exchange. It may falsely claim a peer to be vulnerable if the vendor supports countermeasures other than strict key exchange. For more details visit our website available at https://terrapin-attack.com
Ok Result
(same host, but after apt update, apt upgrade...)
$ Terrapin-Scanner -connect host1.com ================================================================================ ==================================== Report ==================================== ================================================================================ Remote Banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 ChaCha20-Poly1305 support: true CBC-EtM support: false Strict key exchange support: true The scanned peer supports Terrapin mitigations and can establish connections that are NOT VULNERABLE to Terrapin. Glad to see this. For strict key exchange to take effect, both peers must support it. Note: This tool is provided as is, with no warranty whatsoever. It determines the vulnerability of a peer by checking the supported algorithms and support for strict key exchange. It may falsely claim a peer to be vulnerable if the vendor supports countermeasures other than strict key exchange. For more details visit our website available at https://terrapin-attack.com
keywords
- ↑ Nearly 11 million SSH servers vulnerable to new Terrapin attacks - https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/