SSH vulnerable: Millions of servers are no longer secure

B2B Cyber ​​Security ShortNews

Share post

The SSH protocol has been in use for almost 30 years. Now Bochum researchers have developed an attack that has the potential to undermine, if not even disable, cryptographic SSH protection measures. According to ShadowServer, there are over 1 million SSH servers active in Germany - several million worldwide. 

The Terrapin attack is a new attack technique on the SSH protocol discovered by researchers at Ruhr University Bochum. The attack can compromise the integrity of secure SSH connections by making targeted adjustments to sequence numbers during the handshake as part of the connection setup.

ShadowServer's site

🔎 The ShadowServer page shows how many vulnerable SSH servers there are (Image: ShadowServer).

This allows the attacker to remove some messages sent by the client or server when establishing a secure channel without the participants noticing.

Good news: only attack Man in the Middle

The attack may result in the use of less secure authentication algorithms and may disable certain mitigations against keystroke timing attacks in OpenSSH 9.5. To successfully exploit Terrapin, an attacker must be able to perform a Man in the Middle (MitM) attack on the client-server connection and intercept and alter traffic at the TCP/IP layer.

The SSH connection must be encrypted with Chacha20-Poly1305 or with Encrypt-then-MAC in CBC mode. Terrapin is based on a vulnerability registered as CVE-2023-48795 that affects numerous SSH implementations, including OpenSSH, Putty and AsyncSSH, as well as the libssh and libssh2 libraries. Corresponding patches already exist for many of these tools. However, for these to be effective, both the clients and the servers must be updated.

Terrapin website explains

The website

🔎 The website of the Ruhr University Bochum provides everything on the topic (Image: University of Bochum).

The experts at the Ruhr University Bochum have compiled all the information about Terrapin on a special website. In addition to a detailed white paper, there is information about patches and more. There is even a vulnerability scanner for many platforms that is provided via GitHub. The use is of course only recommended for professionals. The FAQ section of the site is also very interesting, as it answers many of admins' questions on the topic straight away.

The interactive map from ShadowServers shows an overview of vulnerable servers and SSh. The numbers for vulnerable servers in Germany, Europe and the rest of the world can be accessed very quickly there.

More at


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more