11 million SSH servers are vulnerable to Terrapin

Around 11 million SSH (Secure Socket Shell) servers exposed to the internet are vulnerable to the Terrapin attack. The attack targets the SSH protocol, affecting clients and servers, and was developed by academic researchers at Ruhr University Bochum, in Germany. It manipulates sequence numbers during the handshake process (the process by which two or more machines recognize each other and are ready to begin communication) to compromise the integrity of the SSH channel, especially when specific encryption modes such as ChaCha20-Poly1305 or CBC with Encrypt-then-MAC are used.

An attacker could therefore downgrade the public key algorithms for user authentication and disable defenses against keystroke timing attacks in OpenSSH 9.5. For the attack to be successful, however, the attackers must be in an intermediary or man-in-the-middle position — or adversary-in-the-middle (AiTM), as they are also known —, a technique of cyberattack in which the criminal acts as an intermediary between the victim and a bank website or even other users, for example.

The warning about the risk of SSH servers is contained in a recent report from security threat monitoring platform Shadowserver, which says there are almost 11 million SSH servers on the public web — identified by unique IP addresses, which are vulnerable to Terrapin attacks. This constitutes about 52% of all samples scanned in the IPv4 and IPv6 space monitored by Shadoserver.

Most vulnerable systems were identified in the United States (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700 thousand), Singapore (390 thousand) and Japan (380 thousand) . But there may be more in other countries.