CVE-2023-48795 Overview
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6, allows remote attackers to bypass integrity checks, leading to possible downgrades or disabling of security features, known as the "Terrapin" attack.
Critical Impact
Remote attackers can bypass security checks, potentially resulting in reduced security for SSH connections.
Affected Products
- OpenBSD OpenSSH
- PuTTY
- Filezilla Client
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to openbsd
- Not Available - CVE CVE-2023-48795 assigned
- 2023-12-18 - CVE CVE-2023-48795 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-48795
Vulnerability Analysis
This vulnerability arises from mishandled sequence numbers within the SSH Binary Packet Protocol (BPP), allowing specific packets in the handshake phase to bypass integrity checks. This affects SSH's use of [email protected] and CBC modes with Encrypt-then-MAC.
Root Cause
The root cause lies in the incorrect handling of extension negotiation messages, permitting integrity check bypass.
Attack Vector
Network
// Example exploitation code (sanitized)
#include <openssl/evp.h>
void example_attack() {
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
if (!ctx) {
// Handle error
}
// The bypass attack logic would exploit sequence mismanagement here.
EVP_CIPHER_CTX_free(ctx);
}
Detection Methods for CVE-2023-48795
Indicators of Compromise
- Unusual SSH connection requests
- Inconsistent security handshake messages
- Logs showing anomalous sequence number increments
Detection Strategies
Use adaptive threat detection systems to monitor and alert on atypical SSH handshake behavior indicative of sequence tampering.
Monitoring Recommendations
Set up log analyzers to flag any SSH logs displaying sequence number anomalies or unexpected handshake failures.
How to Mitigate CVE-2023-48795
Immediate Actions Required
- Update to OpenSSH 9.6 or later
- Enable comprehensive logging on SSH connections
- Isolate vulnerable hosts until patched
Patch Information
Please refer to OpenSSH patches for updates resolving this vulnerability.
Workarounds
Disable affected MAC algorithms such as [email protected] and CBC modes until patched.
# Configuration example to disable affected MACs
echo -e "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
service ssh restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
