SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2023-48795

CVE-2023-48795: OpenSSH Terrapin Auth Bypass Vulnerability

CVE-2023-48795 is an authentication bypass flaw in OpenSSH before version 9.6, known as the Terrapin attack. It allows attackers to downgrade security features during SSH handshakes. This article covers technical details, affected versions, security impact, and mitigation strategies.

Updated:

CVE-2023-48795 Overview

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6, allows remote attackers to bypass integrity checks, leading to possible downgrades or disabling of security features, known as the "Terrapin" attack.

Critical Impact

Remote attackers can bypass security checks, potentially resulting in reduced security for SSH connections.

Affected Products

  • OpenBSD OpenSSH
  • PuTTY
  • Filezilla Client

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to openbsd
  • Not Available - CVE CVE-2023-48795 assigned
  • 2023-12-18 - CVE CVE-2023-48795 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2023-48795

Vulnerability Analysis

This vulnerability arises from mishandled sequence numbers within the SSH Binary Packet Protocol (BPP), allowing specific packets in the handshake phase to bypass integrity checks. This affects SSH's use of [email protected] and CBC modes with Encrypt-then-MAC.

Root Cause

The root cause lies in the incorrect handling of extension negotiation messages, permitting integrity check bypass.

Attack Vector

Network

c
// Example exploitation code (sanitized)
#include <openssl/evp.h>

void example_attack() {
    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    if (!ctx) {
        // Handle error
    }
    // The bypass attack logic would exploit sequence mismanagement here.
    EVP_CIPHER_CTX_free(ctx);
}

Detection Methods for CVE-2023-48795

Indicators of Compromise

  • Unusual SSH connection requests
  • Inconsistent security handshake messages
  • Logs showing anomalous sequence number increments

Detection Strategies

Use adaptive threat detection systems to monitor and alert on atypical SSH handshake behavior indicative of sequence tampering.

Monitoring Recommendations

Set up log analyzers to flag any SSH logs displaying sequence number anomalies or unexpected handshake failures.

How to Mitigate CVE-2023-48795

Immediate Actions Required

  • Update to OpenSSH 9.6 or later
  • Enable comprehensive logging on SSH connections
  • Isolate vulnerable hosts until patched

Patch Information

Please refer to OpenSSH patches for updates resolving this vulnerability.

Workarounds

Disable affected MAC algorithms such as [email protected] and CBC modes until patched.

bash
# Configuration example to disable affected MACs
echo -e "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
service ssh restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne