CVE-2023-48795: OpenSSH Terrapin attack (CVE-2023-48795)

Published Dec 12, 2023
·
Updated

### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. **Warning: To take effect, both the client and server must support this countermeasure.** As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.

Credit

CVE-2023-48795, CVE-2023-51384, CVE-2023-51385, CVE-2024-23225, koocola, an anonymous researcher, ali yabuz, Kirin@@Pwnrin, Meysam Firouzi@@R00tkitsmm(Trend Micro Zero Day Initiative), @@08Tc3wBB(Jamf), CVE-2024-23283, Mickey Jin@@patch1t, Pedro Tôrres@@t0rr3sp3dr0, Bohdan Stasiuk@@Bohdan_Stasiuk, Harsh Tyagi, Wojciech Regula(SecuRing), CVE-2024-23296, Lyra Rebane (rebane2001), Matej Rabzelj, CVE-2024-23238, Yiğit Can YILMAZ@@yilmazcanyigit, luckyu@@uuulucky, K宝(Fudan University), LFY@@secsys(Fudan University), Lewis Hardy, Bistrit Dahal, CVE-2024-23241, CVE-2024-23242, Joshua Jewett@@JoshJewett33, Matthew Loewen, Deutsche Telekom Security GmbH sponsored by Bundesamt für Sicherheit in der Informationstechnik, anbu1024(SecANT), Pwn2car, James Lee@@Windowsrcer, Johan Carlsson (joaxcar), Georg Felber, Marco Squarcina, Junsung Lee(Trend Micro Zero Day Initiative), Zhenjiang Zhao(pangu team), Qianxin(CrowdStrike Counter Adversary Operations), (CrowdStrike Counter Adversary Operations), Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), Dohyun Lee@@l33d0hyun, Lyutoon, Mr.R, Murray Mike, CVE-2024-23235, Xinru Chi(Pangu Lab), m4yfly with TianGong Team(Legendsec at Qi'anxin Group), Guilherme Rambo(Best Buddy Apps), Csaba Fitzl@@theevilbit(OffSec), CVE-2024-23205, CVE-2022-48554, Marc Newlin(SkySafe), Brian McNulty, Stephan Casas, CVE-2024-23291

Affected Software

162 affected componentsFixes available
Apple macOS Sonoma<14.4
14.4
Fortinet FortiAnalyzer=.
Fortinet FortiAnalyzer=.
Fortinet FortiEDR Manager>=6.2.0<=6.2.4
Fortinet FortiEDR Manager>=6.0
Fortinet FortiEDR Manager>=5.2
Fortinet FortiEDR Manager>=5.1
Fortinet FortiEDR Manager>=5.0
Fortinet FortiMail>=7.4.0<=7.4.1
Fortinet FortiMail>=7.2.0<=7.2.5
Fortinet FortiMail>=7.0.0<=7.0.7
Fortinet FortiMail>=6.4
Fortinet FortiMail>=6.2
Fortinet FortiManager=.
Fortinet FortiManager=.
Fortinet FortiNAC-F>=7.2.0<=7.2.5
Fortinet FortiNDR>=7.4.0<=7.4.2
Fortinet FortiNDR>=7.2.0<=7.2.1
Fortinet FortiNDR>=7.1
Fortinet FortiNDR>=7.0.0<=7.0.5
Fortinet FortiRecorder>=7.0.0<=7.0.3
Fortinet FortiRecorder>=6.4
Fortinet FortiRecorder>=6.0
Fortinet FortiSIEM>=7.1.0<=7.1.3
Fortinet FortiSIEM>=7.0
Fortinet FortiSIEM>=6.7
Fortinet FortiSIEM>=6.6
Fortinet FortiSIEM>=6.5
Fortinet FortiSIEM>=6.4
Fortinet FortiSIEM>=6.3
Fortinet FortiSIEM>=6.2
Fortinet FortiSIEM>=6.1
Fortinet FortiSIEM>=5.4
Fortinet FortiSIEM>=5.3
Fortinet FortiSOAR>=7.4.0<=7.4.2
Fortinet FortiSOAR>=7.3
Fortinet FortiSOAR>=7.2
Fortinet FortiVoice>=7.0.0<=7.0.1
Fortinet FortiVoice>=6.4.0<=6.4.8
Fortinet FortiVoice>=6.0.0<=6.0.12
Fortinet FortiWeb>=7.4.0<=7.4.2
Fortinet FortiWeb>=7.2.0<=7.2.7
Fortinet FortiWeb>=7.0.0<=7.0.10
Fortinet FortiWeb>=6.4
Fortinet FortiWeb>=6.3
Fortinet FortiWeb>=6.2
go/golang.org/x/crypto<0.0.0-20231218163308-9d2ee975ef9f
0.0.0-20231218163308-9d2ee975ef9f
go/golang.org/x/crypto>=0.1.0<0.17.0
0.17.0
pip/paramiko>=2.5.0<3.4.0
3.4.0
rust/russh<0.40.2
0.40.2
IBM QRadar Network Packet Capture<=7.5.0 - 7.5.0 Update Package 7
Palo Alto Networks PAN-OS=9.0.0, =9.1.0, =10.1.0, <10.2.14, =10.2.0, =11.0.0, <11.1.8, =11.1.0, <11.2.8, =11.2.0
10.2.1411.1.811.2.8
Palo Alto Networks Prisma SD-WAN ION<5.6.19, =5.6, <6.1.8, =6.1, =6.2, <6.3.2, =6.3
5.6.196.1.86.3.2
redhat/PuTTY<0.80
0.80
redhat/AsyncSSH<2.14.1
2.14.1
redhat/libssh<0.9.8
0.9.8
redhat/libssh<0.10.6
0.10.6
redhat/golang.org/x/crypto/ssh<0.17.0
0.17.0
OpenBSD OpenSSH<9.6
Putty PuTTY<0.80
Filezilla-project Filezilla Client<3.66.4
All of the following
Apple macOS
Panic Transmit 5<5.10.4
All of the following
Apple macOS
Panic Nova<11.8
Roumenpetrov Pkixssh<14.4
WinSCP WinSCP<6.2.2
Bitvise SSH Client<9.33
Bitvise SSH Server<9.32
Lancom-systems Lcos<=3.66.4
Lancom-systems Lcos Fx
Lancom-systems Lcos Lx
Lancom-systems Lcos Sx=4.20
Lancom-systems Lcos Sx=5.20
Lancom-systems Lanconfig
VanDyke Securecrt<9.4.3
libssh libssh<0.10.6
net-ssh Net-ssh Ruby=7.2.0
Ssh2 Project Ssh2 Node.js<=1.11.0
ProFTPD ProFTPD<=1.3.8b
FreeBSD FreeBSD<=12.4
Crates Thrussh<0.35.1
Tera Term Project Tera Term<=5.1
Oryx-embedded Cyclone Ssh<2.3.4
CrushFTP CrushFTP<=10.6.0
NetSarang XShell 7<build__0144
Paramiko Paramiko<3.4.0
redhat OpenShift Container Platform=4.0
redhat Openstack Platform=16.1
redhat Openstack Platform=16.2
redhat Openstack Platform=17.1
redhat Ceph Storage=6.0
redhat Enterprise Linux=8.0
redhat Enterprise Linux=9.0
redhat Openshift Serverless
redhat Openshift Gitops
redhat Openshift Pipelines
redhat Openshift Developer Tools And Services
redhat Openshift Data Foundation=4.0
redhat Openshift Api For Data Protection
redhat Openshift Virtualization=4
redhat Storage=3.0
redhat Discovery
redhat Openshift Dev Spaces
redhat Cert-manager Operator For Red Hat Openshift
redhat keycloak
redhat JBoss Enterprise Application Platform=7.0
redhat Single Sign-on=7.0
redhat Advanced Cluster Security=3.0
redhat Advanced Cluster Security=4.0
Golang crypto<0.17.0
Russh Project Russh Rust<0.40.2
Sftpgo Project Sftpgo<2.5.6
Erlang Erlang\/otp<22.3.4.27
Erlang Erlang\/otp>=23.0<23.3.4.20
Erlang Erlang\/otp>=24.0<24.3.4.15
Erlang Erlang\/otp>=25.0<25.3.2.8
Erlang Erlang\/otp>=26.0<26.2.1
Matez Jsch<0.2.15
libssh2 libssh2<1.11.1
Asyncssh Project Asyncssh<2.14.2
Dropbear Ssh Project Dropbear Ssh<2022.83
Jadaptive Maverick Synergy Java Ssh Api<3.1.0-snapshot
SSH ssh<4.9.1.5
SSH ssh>=4.10<4.11.1.7
SSH ssh>=4.12<4.13.2.4
SSH ssh>=4.14<4.15.3.1
SSH ssh>=5.0<5.1.1
Thorntech Sftp Gateway Firmware<3.4.6
Netgate pfSense Plus<=23.09.1
Netgate pfSense CE<=2.7.2
CrushFTP CrushFTP<10.6.0
ConnectBot Sshlib<2.2.22
Apache sshd<=2.11.0
Apache sshj<=0.37.0
TinySSH TinySSH<=20230101
trilead ssh2=6401
9bis Kitty<=0.76.1.13
All of the following
Gentoo Security
Debian Debian Linux
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Debian Debian Linux=10.0
Apple macOS>=14.0<14.4
debian/dropbear
2020.81-3+deb11u22020.81-3+deb11u32022.83-1+deb12u32025.89-1~deb13u12026.91-1
debian/erlang<=1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u41:25.2.3+dfsg-1+deb12u41:25.2.3+dfsg-1+deb12u11:27.3.4.1+dfsg-1+deb13u21:27.3.4.11+dfsg-11:27.3.4.11+dfsg-7
debian/filezilla
3.52.2-3+deb11u13.63.0-1+deb12u33.68.1-13.69.6-2
debian/golang-go.crypto<=1:0.0~git20201221.eec23a3-1, <=1:0.4.0-1
1:0.25.0-11:0.50.0-1
debian/jsch
0.1.55-10.2.19-1
debian/libssh
0.9.8-0+deb11u10.9.8-0+deb11u20.10.6-0+deb12u20.10.6-0+deb12u10.11.2-1+deb13u10.12.0-3
debian/libssh2
1.9.0-2+deb11u11.10.0-31.11.1-11.11.1-3
debian/openssh
1:8.4p1-5+deb11u31:8.4p1-5+deb11u71:9.2p1-2+deb12u101:9.2p1-2+deb12u91:10.0p1-7+deb13u41:10.0p1-7+deb13u21:10.3p1-11:10.3p1-2
debian/paramiko<=2.7.2-1, <=2.7.2-1+deb11u1, <=2.12.0-2
3.5.1-34.0.0-2
debian/php-phpseclib
2.0.30-2+deb11u22.0.30-2+deb11u12.0.42-1+deb12u52.0.42-1+deb12u32.0.48-3+deb13u32.0.48-3+deb13u12.0.54-1
debian/php-phpseclib3
3.0.19-1+deb12u63.0.19-1+deb12u43.0.43-2+deb13u33.0.43-2+deb13u13.0.52-2
debian/phpseclib
1.0.19-3+deb11u21.0.19-3+deb11u31.0.20-1+deb12u51.0.20-1+deb12u31.0.23-6+deb13u31.0.23-6+deb13u11.0.29-1
debian/proftpd-dfsg<=1.3.7a+dfsg-12+deb11u2
1.3.7a+dfsg-12+deb11u51.3.8+dfsg-4+deb12u51.3.8+dfsg-4+deb12u41.3.8.c+dfsg-4+deb13u21.3.9a~dfsg-1
debian/proftpd-mod-proxy<=0.7-1
0.9.2-1+deb12u10.9.5-10.9.5-2
debian/putty
0.74-1+deb11u20.74-1+deb11u10.78-2+deb12u20.78-2+deb12u10.83-30.84-1
debian/python-asyncssh<=2.5.0-0.1
2.5.0-0.1+deb11u12.10.1-2+deb12u22.10.1-2+deb12u12.20.0-12.22.0-2
debian/tinyssh<=20190101-1+deb11u1, <=20230101-1
20250501-120260401-1
debian/trilead-ssh2<=6401+svn158-1.1, <=6401+svn158-2

Remediation

Patch Available

https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6

Patch Available

https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0

Patch Available

https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab

Patch Available

https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42

Patch Available

https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d

Patch Available

https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5

Patch Available

https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25

Patch Available

https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3

Patch Available

https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16

Patch Available

https://github.com/openssh/openssh-portable/commits/master

Patch Available

https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC

Mitigation

For PAN-OS SSH server Customers can workaround this issue by configuring the in-use SSH profile to contain at least one cipher and at least one MAC algorithm, which removes support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. Guidance on how to configure strong ciphers and algorithms can be found on the following pages: * Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0 (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2) * Refresh SSH Keys and Configure Key Options for Management Interface Connection (https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection) To validate the affected ciphers and algorithms are no longer enabled, please see the guidance on checking ciphers enabled on PAN-OS (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF2eCAE). This issue is completely mitigated by following the recommended best practices for deploying PAN-OS (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices). For PAN-OS SSH client If using the SSH client provided with PAN-OS to connect from the firewall to an external SSH server, ensure that the SSH server does not support the CHACHA20-POLY1305 algorithm or any Encrypt-then-MAC algorithms.

Information

For PAN-OS SSH server The PAN-OS SSH server is fixed in PAN-OS 10.2.14, PAN-OS 11.1.8, PAN-OS 11.2.8, and all later PAN-OS versions. These versions implement support for the Strict Key Exchange (kex-strict) extension, which prevents the prefix truncation required for the Terrapin attack. Customers are still encouraged to follow best practices for configuring strong ciphers and algorithms. For PAN-OS SSH client The PAN-OS SSH client is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions. For Prisma SD-WAN ION This issue is fixed in Prisma SD-WAN ION 5.6.19, Prisma SD-WAN ION 6.1.8, Prisma SD-WAN ION 6.3.2, and all later Prisma SD-WAN ION versions. If you are using the Prisma SD-WAN ION 6.2 series, evaluate moving to another Prisma SD-WAN ION series number based on the Prisma SD-WAN ION Software Release Guidelines (https://live.paloaltonetworks.com/t5/customer-resources/prisma-sd-wan-ion-software-release-guidelines/ta-p/578685.).

Event History

Dec 12, 2023
Data Sourced
via Red Hat·04:59 PM
DescriptionSeverityAffected Software
Dec 18, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·04:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·07:22 PM
Data Sourced
via GitHub·07:22 PM
DescriptionSeverityWeaknessAffected Software
Dec 19, 2023
News Published
05:03 PM
Dec 20, 2023
News Published
via The Register·08:34 AM
Jan 9, 2024
Advisory Published
via FortiGuard·12:00 AM
Advisory Published
via Palo Alto Networks·01:30 AM
Data Sourced
via Palo Alto Networks·01:30 AM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 19, 2024
News Published
via The Register·09:51 PM
Jul 23, 2024
Data Sourced
via IBM·12:00 AM
DescriptionSeverityAffected Software
May 13, 2025
Advisory Published
via FortiGuard·02:55 PM
Jul 17, 2025
Data Sourced
via Ubuntu·02:30 PM
RemedyDescriptionSeverityAffected Software
Aug 30, 2025
Data Sourced
via Launchpad·02:37 PM
Description
Mar 10, 2026
Advisory Published
via Palo Alto Networks·01:00 AM
May 25, 2026
Data Sourced
via Debian·09:07 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2023-48795?

CVE-2023-48795 has been classified as a high severity vulnerability affecting the integrity of the SSH protocol.

2

How do I fix CVE-2023-48795?

To fix CVE-2023-48795, upgrade to the recommended versions of affected software such as Paramiko 3.4.0 or higher, and ensure all SSH implementations are updated accordingly.

3

What types of software are affected by CVE-2023-48795?

CVE-2023-48795 impacts various SSH implementations including Paramiko, OpenSSH, PuTTY, and several other cryptographic libraries.

4

Can CVE-2023-48795 be exploited remotely?

Yes, CVE-2023-48795 can be exploited remotely by attackers during the SSH handshake process.

5

What is the nature of the attack described in CVE-2023-48795?

CVE-2023-48795 refers to a prefix truncation attack, which compromises the integrity of the SSH secure channel.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203