Approximately 11 million internet-exposed SSH servers face vulnerability to the newly identified Terrapin attack, which poses a threat to the integrity of SSH connections. Developed by academic researchers at Ruhr University Bochum in Germany, the Terrapin attack targets the SSH protocol, impacting both clients and servers. By manipulating sequence numbers during the handshake process, it compromises the integrity of the SSH channel, especially when specific encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC are in use. The attack allows an adversary to downgrade public key algorithms for user authentication and disable defenses against keystroke timing attacks in OpenSSH 9.5. Notably, the Terrapin attack requires attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange. A recent report from the security threat monitoring platform Shadowserver highlights that nearly 11 million SSH servers on the public web, identified by unique IP addresses, are susceptible to Terrapin attacks, emphasizing the critical need for vigilance and proactive security measures.
Approximately 52% of all scanned samples in the monitored IPv4 and IPv6 space by Shadowserver are susceptible to the Terrapin attack. The majority of these vulnerable systems are located in the United States (3.3 million), with significant numbers also identified in China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000). The widespread distribution of vulnerabilities underscores the global impact and emphasizes the urgent need for cybersecurity measures to address the Terrapin threat.
Shadowserver’s report underscores the potential widespread impact of Terrapin attacks, emphasizing that although not all 11 million instances are immediately susceptible, adversaries have a substantial pool to choose from. To assess the vulnerability of an SSH client or server to Terrapin, the Ruhr University Bochum team offers a vulnerability scanner as a resource. This information highlights the need for proactive cybersecurity measures and vigilance to mitigate the risks associated with the Terrapin attack.
