VulWall Team February 18, 2026 5 min read

SSH Server Uses Encryption Settings Vulnerable to Connection Downgrade

Your server's SSH service — the secure tunnel used for remote administration — is configured with encryption options that have a known flaw. An attacker positioned between your server and a connecting administrator (for example, on the same network) could quietly weaken that tunnel during the initial handshake, potentially stripping away some security protections before either side notices. Think of it like a tampered lock that looks fine from the outside but is slightly easier to pick.

OWASP A06 Effort: small Exploitable
cve cve-2023-48795 ssh openssh terrapin mitm cryptography algorithm-downgrade network handshake

Business Impact And Actions

medium urgency

Business Impact

The practical risk is limited: an attacker must already be in a position to intercept your network traffic (a 'man-in-the-middle' position) before this flaw can be used. It cannot be exploited from the open internet by a random attacker. That said, if exploited, it could allow a sophisticated attacker to weaken the security of an SSH session — for example, forcing the use of less secure login methods. For compliance purposes, unpatched SSH servers are commonly flagged in security audits (SOC 2, ISO 27001, PCI-DSS). Fixing this is straightforward and low-risk.

What To Do

  1. Ask your developer or system administrator to update OpenSSH to version 9.6 or later on all servers — this is the cleanest fix and takes under an hour on most Linux systems.
  2. If an immediate upgrade isn't possible, ask your admin to disable two specific encryption options (ChaCha20-Poly1305 and Encrypt-then-MAC algorithms) in the SSH server config file as a temporary workaround — this takes about 15 minutes.
  3. After the fix is applied, use the free Terrapin Scanner tool (available at github.com/RUB-NDS/Terrapin-Scanner) to confirm the server is no longer flagged as vulnerable.
  4. If you use any SSH client software (PuTTY, WinSCP, FileZilla, etc.) on staff machines, check that those are also updated to their latest versions.

OpenSSH Terrapin Prefix Truncation Attack (CVE-2023-48795)

medium severity

Vulnerability Explanation

CVE-2023-48795, known as the Terrapin attack, is a prefix truncation vulnerability in the SSH Binary Packet Protocol (BPP). During the SSH handshake, certain cipher/MAC combinations — specifically ChaCha20-Poly1305 and CBC with Encrypt-then-MAC (EtM) — do not protect the integrity of the initial handshake message sequence. A man-in-the-middle attacker can inject or drop specific unencrypted packets before the secure channel is fully established, desynchronising the sequence numbers between client and server. This allows the attacker to silently strip the SSH_MSG_EXT_INFO extension negotiation message from the handshake, effectively disabling security extensions (such as restrictions on public-key authentication algorithms) without either party detecting the manipulation. The attack requires an active MitM position — passive eavesdropping is not sufficient.

Root Cause

The SSH BPP does not reset or cryptographically bind sequence numbers when transitioning from the unauthenticated handshake phase to the encrypted channel. When ChaCha20-Poly1305 or CBC-EtM is negotiated, an attacker can inject a padding/ignore message before the NewKeys message, causing the server's sequence number to advance by one. This desynchronisation allows the attacker to cause the first post-handshake message (SSH_MSG_EXT_INFO) to be silently dropped. The fix introduced in OpenSSH 9.6 is a 'strict KEX' extension that cryptographically binds sequence numbers during key exchange, preventing this manipulation.

Technical Impact

An active MitM attacker can downgrade the security of an SSH session by stripping extension negotiation messages. Demonstrated impacts include: forcing fallback to weaker client authentication algorithms (e.g., disabling publickey authentication restrictions), and disabling the 'ping' extension used to detect connection liveness. In practice, this does not grant direct code execution or credential theft, but it weakens the security guarantees of the SSH session in ways that could facilitate further attacks.

Severity Justification

CVSS 3.x Base Score 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). High attack complexity due to mandatory MitM requirement; no confidentiality or availability impact. Exploits are publicly available but require network positioning. Widely rated Medium by vendors including IBM, Tenable, and Palo Alto Networks.

Affected Components

  • OpenSSH < 9.6
  • PuTTY < 0.80
  • WinSCP < 6.2.2
  • FileZilla < 3.66.4
  • libssh < 0.10.6
  • libssh2 through 1.11.0
  • Paramiko < 3.4.0
  • AsyncSSH < 2.14.2
  • golang.org/x/crypto < 0.17.0
  • Dropbear through 2022.83
  • net-ssh gem < 7.2.1 (Ruby)
  • mscdex ssh2 < 1.15.0 (Node.js)

Remediation Steps

  1. **Preferred fix — upgrade OpenSSH:** Update the SSH server package to OpenSSH 9.6 or later, which implements the 'strict KEX' countermeasure. On Debian/Ubuntu: `apt-get update && apt-get install --only-upgrade openssh-server`. On RHEL/CentOS: `dnf update openssh-server`. Restart the service after upgrading.
  2. **If upgrade is not immediately possible — disable vulnerable algorithms:** Add the following lines to `/etc/ssh/sshd_config` to remove ChaCha20-Poly1305 and all Encrypt-then-MAC algorithms from the server's accepted list. Both must be disabled — removing only one is insufficient.
  3. Reload the SSH daemon: `systemctl reload sshd` (or `systemctl restart sshd` if reload is not supported). Verify the service is still accepting connections before closing your current session.
  4. **Also update SSH clients:** The vulnerability affects both sides of the connection. Update client software (PuTTY, WinSCP, FileZilla, Paramiko, etc.) to patched versions. See https://terrapin-attack.com/patches.html for the full list of patched versions per product.
  5. **Verify remediation** using the Terrapin Scanner tool (see verification steps below).

Verification Steps

  1. Run the official Terrapin Scanner against your server: download the binary from https://github.com/RUB-NDS/Terrapin-Scanner/releases and execute: `./terrapin-scanner --connect your-server-ip:22`. A non-vulnerable server will report 'strict key exchange support: true'.
  2. Confirm ChaCha20-Poly1305 is no longer offered: `ssh -vvv -c chacha20-poly1305@openssh.com your-server-ip` — the connection should fail with 'no matching cipher found'.
  3. Confirm EtM MACs are no longer offered: `ssh -Q mac | grep etm` on the server, then cross-reference with `ssh -vvv your-server-ip` output to confirm none of the etm MACs appear in the negotiated algorithm.
  4. Check the installed OpenSSH version: `ssh -V` — should report OpenSSH 9.6 or later for the fully patched fix.

Best Practices

  • Apply OS security updates on a regular cadence — the OpenSSH patch for this CVE was available the same day of disclosure (December 18, 2023).
  • Restrict SSH access to known IP ranges using firewall rules; this limits the pool of potential MitM positions an attacker could occupy.
  • Prefer key-based authentication over passwords for SSH — this reduces the value of any session downgrade to an attacker.
  • Periodically audit your SSH server configuration against a hardening guide (e.g., Mozilla SSH Guidelines) to catch algorithm deprecations proactively.

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base