CVE-2023-46445 Overview
An issue in AsyncSSH before version 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack. This vulnerability, known as "Rogue Extension Negotiation," is part of the broader Terrapin attack family targeting SSH implementations. The flaw exists in how AsyncSSH processes SSH extension negotiation messages, enabling an attacker positioned between a client and server to manipulate the connection's security properties.
Critical Impact
Attackers can manipulate SSH extension negotiation to weaken the security of SSH connections, potentially bypassing security features or downgrading cryptographic protections through man-in-the-middle attacks.
Affected Products
- AsyncSSH versions prior to 2.14.1
- Systems using AsyncSSH for SSH client or server implementations
- Python applications with AsyncSSH dependency for secure communication
Discovery Timeline
- November 14, 2023 - CVE-2023-46445 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2023-46445
Vulnerability Analysis
This vulnerability falls under CWE-345 (Insufficient Verification of Data Authenticity). The core issue lies in AsyncSSH's handling of SSH extension info messages as defined in RFC 8308. During the SSH handshake process, extension negotiation allows clients and servers to communicate additional capabilities. However, AsyncSSH prior to version 2.14.1 does not adequately verify the authenticity of these extension messages, allowing a man-in-the-middle attacker to inject or modify extension information.
The Rogue Extension Negotiation attack exploits this weakness to manipulate which extensions are negotiated between the SSH client and server. This can result in security features being disabled or cryptographic algorithms being downgraded, fundamentally weakening the security guarantees of the SSH connection.
Root Cause
The root cause is insufficient verification of data authenticity in the SSH extension negotiation process. AsyncSSH fails to properly validate that extension info messages originate from the legitimate peer rather than an attacker. This allows manipulation of the extension negotiation handshake when an adversary has network positioning between communicating parties.
Attack Vector
The attack requires network-level access to intercept and modify SSH traffic between a client and server (man-in-the-middle positioning). An attacker exploits this vulnerability by:
- Positioning themselves between an AsyncSSH client and server
- Intercepting the SSH handshake traffic
- Injecting or modifying extension info messages (RFC 8308)
- Manipulating the negotiated extensions to weaken security properties
The vulnerability is exploitable over the network without authentication, though it requires the attacker to successfully establish a man-in-the-middle position, which increases attack complexity.
For detailed technical analysis of the Terrapin attack methodology, refer to the Terrapin Attack Overview and the GitHub Security Advisory.
Detection Methods for CVE-2023-46445
Indicators of Compromise
- Unexpected SSH extension negotiation behavior or missing expected extensions
- Anomalous network traffic patterns during SSH handshake sequences
- SSH connections with unexpectedly weak cryptographic configurations
- Evidence of ARP spoofing or other man-in-the-middle attack indicators on the network
Detection Strategies
- Monitor for SSH connections where negotiated extensions differ from expected baseline configurations
- Implement network-level detection for man-in-the-middle attack indicators such as ARP cache poisoning
- Audit AsyncSSH version deployments across infrastructure to identify vulnerable instances
- Enable verbose SSH logging to capture extension negotiation details for analysis
Monitoring Recommendations
- Deploy network intrusion detection systems with SSH protocol inspection capabilities
- Configure alerts for SSH handshake anomalies and unexpected extension negotiation patterns
- Implement continuous vulnerability scanning to identify AsyncSSH instances below version 2.14.1
- Monitor for Terrapin attack signatures using updated threat intelligence feeds
How to Mitigate CVE-2023-46445
Immediate Actions Required
- Upgrade AsyncSSH to version 2.14.1 or later immediately
- Audit all Python applications and systems using AsyncSSH as a dependency
- Review network architecture to minimize man-in-the-middle attack opportunities
- Implement network segmentation to protect critical SSH communications
Patch Information
The vulnerability is addressed in AsyncSSH version 2.14.1. Organizations should update their AsyncSSH installations through their package manager or by updating the dependency in their Python projects. For detailed change information, consult the AsyncSSH Change Log. Additional security advisories are available from Fedora, Debian LTS, and NetApp.
Workarounds
- Implement strict network access controls to prevent man-in-the-middle positioning
- Use VPNs or other encrypted tunnels for SSH traffic traversing untrusted networks
- Deploy mutual TLS or IPsec at the network layer for additional transport security
- Monitor and validate SSH server host keys through out-of-band verification mechanisms
# Upgrade AsyncSSH to patched version
pip install --upgrade asyncssh>=2.14.1
# Verify installed version
pip show asyncssh | grep Version
# For requirements.txt, update the version constraint
# asyncssh>=2.14.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
