CVE-2023-48795

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-48795
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

5.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Release Notes
https://matt.ucc.asn.au/dropbear/CHANGES Release Notes
https://www.openssh.com/openbsd.html Release Notes
https://github.com/openssh/openssh-portable/commits/master Patch
https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ Mailing List
https://www.bitvise.com/ssh-server-version-history Release Notes
https://github.com/ronf/asyncssh/tags Release Notes
https://gitlab.com/libssh/libssh-mirror/-/tags Release Notes
https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ Issue Tracking
https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 Patch
https://www.openssh.com/txt/release-9.6 Release Notes
https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ Press/Media Coverage
https://www.terrapin-attack.com Exploit
https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 Patch
https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst Release Notes
https://thorntech.com/cve-2023-48795-and-sftp-gateway/ Third Party Advisory
https://github.com/warp-tech/russh/releases/tag/v0.40.2 Release Notes
https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 Patch
https://www.openwall.com/lists/oss-security/2023/12/18/2 Mailing List
https://twitter.com/TrueSkrillor/status/1736774389725565005 Press/Media Coverage
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d Patch
https://github.com/paramiko/paramiko/issues/2337 Issue Tracking
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg Mailing List
https://news.ycombinator.com/item?id=38684904 Issue Tracking
https://news.ycombinator.com/item?id=38685286 Issue Tracking
http://www.openwall.com/lists/oss-security/2023/12/18/3 Mailing List
https://github.com/mwiede/jsch/issues/457 Issue Tracking
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 Patch
https://github.com/erlang/otp/releases/tag/OTP-26.2.1 Release Notes
https://github.com/advisories/GHSA-45x7-px36-x8w8 Third Party Advisory
https://security-tracker.debian.org/tracker/source-package/libssh2 Vendor Advisory
https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg Vendor Advisory
https://security-tracker.debian.org/tracker/CVE-2023-48795 Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1217950 Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2254210 Issue Tracking
https://bugs.gentoo.org/920280 Issue Tracking
https://ubuntu.com/security/CVE-2023-48795 Vendor Advisory
https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ Press/Media Coverage
https://access.redhat.com/security/cve/cve-2023-48795 Third Party Advisory
https://github.com/mwiede/jsch/pull/461 Release Notes
https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 Release Notes
https://github.com/libssh2/libssh2/pull/1291 Mitigation
https://forum.netgate.com/topic/184941/terrapin-ssh-attack Issue Tracking
https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 Patch
https://github.com/rapier1/hpn-ssh/releases Release Notes
https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES Release Notes
https://www.netsarang.com/en/xshell-update-history/ Release Notes
https://www.paramiko.org/changelog.html Release Notes
https://github.com/proftpd/proftpd/issues/456 Issue Tracking
https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 Release Notes
https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 Product
https://oryx-embedded.com/download/#changelog Release Notes
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update Release Notes
https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 Third Party Advisory
https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab Patch
https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 Patch
https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC Patch
https://crates.io/crates/thrussh/versions Release Notes
https://github.com/NixOS/nixpkgs/pull/275249 Release Notes
http://www.openwall.com/lists/oss-security/2023/12/19/5 Mailing List
https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc Release Notes
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ Press/Media Coverage
http://www.openwall.com/lists/oss-security/2023/12/20/3 Mailing List Mitigation
https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES Release Notes
https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES Release Notes
https://github.com/apache/mina-sshd/issues/445 Issue Tracking
https://github.com/hierynomus/sshj/issues/916 Issue Tracking
https://github.com/janmojzis/tinyssh/issues/81 Issue Tracking
https://www.openwall.com/lists/oss-security/2023/12/20/3 Mailing List Mitigation
https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 Issue Tracking
https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 Patch
http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html Third Party Advisory VDB Entry
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ Vendor Advisory
https://www.debian.org/security/2023/dsa-5586 Issue Tracking
https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 Vendor Advisory
https://www.theregister.com/2023/12/20/terrapin_attack_ssh Press/Media Coverage
https://filezilla-project.org/versions.php Release Notes
https://nova.app/releases/#v11.8 Release Notes
https://roumenpetrov.info/secsh/#news20231220 Release Notes
https://www.vandyke.com/products/securecrt/history.txt Release Notes
https://help.panic.com/releasenotes/transmit5/ Release Notes
https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta Release Notes
https://github.com/PowerShell/Win32-OpenSSH/issues/2189 Issue Tracking
https://winscp.net/eng/docs/history#6.2.2 Release Notes
https://www.bitvise.com/ssh-client-version-history#933 Release Notes
https://github.com/cyd01/KiTTY/issues/520 Issue Tracking
https://www.debian.org/security/2023/dsa-5588 Issue Tracking
https://github.com/ssh-mitm/ssh-mitm/issues/165 Issue Tracking
https://news.ycombinator.com/item?id=38732005 Issue Tracking
https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html Mailing List
https://security.gentoo.org/glsa/202312-16 Third Party Advisory
https://security.gentoo.org/glsa/202312-17 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/
https://security.netapp.com/advisory/ntap-20240105-0004/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
Configurations

Configuration 1 (hide)

cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:filezilla-project:filezilla_client:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:microsoft:powershell:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:a:panic:transmit_5:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:a:panic:nova:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

Configuration 7 (hide)

cpe:2.3:a:roumenpetrov:pkixssh:*:*:*:*:*:*:*:*

Configuration 8 (hide)

cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*

Configuration 9 (hide)

cpe:2.3:a:bitvise:ssh_client:*:*:*:*:*:*:*:*

Configuration 10 (hide)

cpe:2.3:a:bitvise:ssh_server:*:*:*:*:*:*:*:*

Configuration 11 (hide)

cpe:2.3:o:lancom-systems:lcos:*:*:*:*:*:*:*:*

Configuration 12 (hide)

cpe:2.3:o:lancom-systems:lcos_fx:-:*:*:*:*:*:*:*

Configuration 13 (hide)

cpe:2.3:o:lancom-systems:lcos_lx:-:*:*:*:*:*:*:*

Configuration 14 (hide)

OR cpe:2.3:o:lancom-systems:lcos_sx:5.20:*:*:*:*:*:*:*
cpe:2.3:o:lancom-systems:lcos_sx:4.20:*:*:*:*:*:*:*

Configuration 15 (hide)

cpe:2.3:o:lancom-systems:lanconfig:-:*:*:*:*:*:*:*

Configuration 16 (hide)

cpe:2.3:a:vandyke:securecrt:*:*:*:*:*:*:*:*

Configuration 17 (hide)

cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*

Configuration 18 (hide)

cpe:2.3:a:net-ssh:net-ssh:7.2.0:*:*:*:*:ruby:*:*

Configuration 19 (hide)

cpe:2.3:a:ssh2_project:ssh2:*:*:*:*:*:node.js:*:*

Configuration 20 (hide)

cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*

Configuration 21 (hide)

cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*

Configuration 22 (hide)

cpe:2.3:a:crates:thrussh:*:*:*:*:*:*:*:*

Configuration 23 (hide)

cpe:2.3:a:tera_term_project:tera_term:*:*:*:*:*:*:*:*

Configuration 24 (hide)

cpe:2.3:a:oryx-embedded:cyclone_ssh:*:*:*:*:*:*:*:*

Configuration 25 (hide)

cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*

Configuration 26 (hide)

cpe:2.3:a:netsarang:xshell_7:*:*:*:*:*:*:*:*

Configuration 27 (hide)

cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:*

Configuration 28 (hide)

cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*

Configuration 29 (hide)

OR cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack_platform:17.1:*:*:*:*:*:*:*

Configuration 30 (hide)

cpe:2.3:a:redhat:ceph_storage:6.0:*:*:*:*:*:*:*

Configuration 31 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Configuration 32 (hide)

cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*

Configuration 33 (hide)

cpe:2.3:a:redhat:openshift_gitops:-:*:*:*:*:*:*:*

Configuration 34 (hide)

cpe:2.3:a:redhat:openshift_pipelines:-:*:*:*:*:*:*:*

Configuration 35 (hide)

cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*

Configuration 36 (hide)

cpe:2.3:a:redhat:openshift_data_foundation:4.0:*:*:*:*:*:*:*

Configuration 37 (hide)

cpe:2.3:a:redhat:openshift_api_for_data_protection:-:*:*:*:*:*:*:*

Configuration 38 (hide)

cpe:2.3:a:redhat:openshift_virtualization:4:*:*:*:*:*:*:*

Configuration 39 (hide)

cpe:2.3:a:redhat:storage:3.0:*:*:*:*:*:*:*

Configuration 40 (hide)

cpe:2.3:a:redhat:discovery:-:*:*:*:*:*:*:*

Configuration 41 (hide)

cpe:2.3:a:redhat:openshift_dev_spaces:-:*:*:*:*:*:*:*

Configuration 42 (hide)

cpe:2.3:a:redhat:cert-manager_operator_for_red_hat_openshift:-:*:*:*:*:*:*:*

Configuration 43 (hide)

cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*

Configuration 44 (hide)

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*

Configuration 45 (hide)

cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

Configuration 46 (hide)

OR cpe:2.3:a:redhat:advanced_cluster_security:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:advanced_cluster_security:3.0:*:*:*:*:*:*:*

Configuration 47 (hide)

cpe:2.3:a:golang:crypto:*:*:*:*:*:*:*:*

Configuration 48 (hide)

cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*

Configuration 49 (hide)

cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:*

Configuration 50 (hide)

cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*

Configuration 51 (hide)

cpe:2.3:a:matez:jsch:*:*:*:*:*:*:*:*

Configuration 52 (hide)

cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*

Configuration 53 (hide)

cpe:2.3:a:asyncssh_project:asyncssh:*:*:*:*:*:*:*:*

Configuration 54 (hide)

cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:*:*:*:*:*:*:*:*

Configuration 55 (hide)

cpe:2.3:a:jadaptive:maverick_synergy_java_ssh_api:*:*:*:*:*:*:*:*

Configuration 56 (hide)

cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*

Configuration 57 (hide)

cpe:2.3:o:thorntech:sftp_gateway_firmware:*:*:*:*:*:*:*:*

Configuration 58 (hide)

cpe:2.3:a:netgate:pfsense_plus:*:*:*:*:*:*:*:*

Configuration 59 (hide)

cpe:2.3:a:netgate:pfsense_ce:*:*:*:*:*:*:*:*

Configuration 60 (hide)

cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*

Configuration 61 (hide)

cpe:2.3:a:connectbot:sshlib:*:*:*:*:*:*:*:*

Configuration 62 (hide)

cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*

Configuration 63 (hide)

cpe:2.3:a:apache:sshj:*:*:*:*:*:*:*:*

Configuration 64 (hide)

cpe:2.3:a:tinyssh:tinyssh:*:*:*:*:*:*:*:*

Configuration 65 (hide)

cpe:2.3:a:trilead:ssh2:6401:*:*:*:*:*:*:*

Configuration 66 (hide)

cpe:2.3:a:kitty_project:kitty:*:*:*:*:*:*:*:*

Configuration 67 (hide)

AND
cpe:2.3:a:gentoo:security:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:-:*:*:*:*:*:*:*
Information

Published : 2023-12-18 16:15

Updated : 2024-01-11 04:15

NVD link : CVE-2023-48795

Mitre link : CVE-2023-48795

JSON object : View

Products Affected

apache

  • sshj
  • sshd

winscp

  • winscp

libssh2

  • libssh2

redhat

  • ceph_storage
  • keycloak
  • single_sign-on
  • jboss_enterprise_application_platform
  • openstack_platform
  • cert-manager_operator_for_red_hat_openshift
  • openshift_container_platform
  • enterprise_linux
  • discovery
  • openshift_serverless
  • openshift_api_for_data_protection
  • advanced_cluster_security
  • storage
  • openshift_gitops
  • openshift_pipelines
  • openshift_dev_spaces
  • openshift_data_foundation
  • openshift_virtualization
  • openshift_developer_tools_and_services

putty

  • putty

netsarang

  • xshell_7

asyncssh_project

  • asyncssh

thorntech

  • sftp_gateway_firmware

lancom-systems

  • lcos
  • lcos_sx
  • lcos_fx
  • lcos_lx
  • lanconfig

gentoo

  • security

connectbot

  • sshlib

tera_term_project

  • tera_term

filezilla-project

  • filezilla_client

oryx-embedded

  • cyclone_ssh

netgate

  • pfsense_plus
  • pfsense_ce

debian

  • debian_linux

libssh

  • libssh

ssh2_project

  • ssh2

golang

  • crypto

matez

  • jsch

erlang

  • erlang\/otp

bitvise

  • ssh_client
  • ssh_server

sftpgo_project

  • sftpgo

net-ssh

  • net-ssh

vandyke

  • securecrt

dropbear_ssh_project

  • dropbear_ssh

ssh

  • ssh

panic

  • nova
  • transmit_5

trilead

  • ssh2

microsoft

  • powershell

paramiko

  • paramiko

crates

  • thrussh

proftpd

  • proftpd

freebsd

  • freebsd

crushftp

  • crushftp

tinyssh

  • tinyssh

kitty_project

  • kitty

roumenpetrov

  • pkixssh

apple

  • macos

russh_project

  • russh

jadaptive

  • maverick_synergy_java_ssh_api

openbsd

  • openssh
CWE
CWE-354

Improper Validation of Integrity Check Value