CVE-2023-48795
Published: 18 December 2023
Summary
CVE-2023-48795 is a medium-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Erlang Erlang\/Otp. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-48795 is a protocol-level flaw in the SSH Binary Packet Protocol (BPP) handshake that affects OpenSSH before version 9.6 and numerous other implementations, including PuTTY before 0.80, Dropbear through 2022.83, libssh before 0.10.6, Paramiko before 3.4.0, AsyncSSH before 2.14.2, and many additional SSH libraries and products. The vulnerability, known as the Terrapin attack, stems from improper handling of sequence numbers and extension negotiation messages, allowing an attacker to omit packets from the handshake and thereby disable or downgrade integrity protections when ChaCha20-Poly1305 or CBC-with-Encrypt-then-MAC modes are in use.
A remote attacker positioned on the network path between client and server can exploit the flaw during the initial key exchange to strip selected packets without detection, resulting in a connection that has lost certain security properties while still appearing valid to both endpoints. The attack requires no authentication and succeeds against connections that negotiate the affected algorithms, though it is rated medium severity (CVSS 5.9) because of the high attack complexity involved.
Public advisories and coordinated disclosures referenced in the provided URLs describe vendor-specific patches that update the listed products to versions that correctly enforce sequence numbers and resist prefix truncation; operators are advised to apply those updates and, where feasible, prefer algorithms less susceptible to the prefix truncation technique.
EPSS for this CVE rose sharply from a low baseline to a peak of 0.9548 on 2025-01-22 before receding to the current value of 0.5300, indicating that exploitation interest increased substantially after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-3093
Vulnerability details
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may…
more
consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Proper validation of integrity check values is required for reliable tamper detection, directly reducing undetected modification risks.
Requires validation of integrity check values on every resolution response, directly mitigating tampered or corrupted DNS data.
Control mandates proper validation of integrity values (checksums) on prepared data, making flawed validation of those checks ineffective for attackers.
Requires use of proper integrity verification tools, reducing the chance an incorrect check value is accepted.
Requires proper validation of integrity mechanisms, directly mitigating flawed check-value handling.