russh

CVE-2023-48795

CVE-2023-48795 is a medium-severity security vulnerability in russh (rust), affecting versions < 0.40.2. It is fixed in 0.40.2, 3.4.0, 0.17.0, 0.0.0-20231218163308-9d2ee975ef9f.

Key facts
CVSS score
5.9
Medium
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
russh
Fixed in
0.40.2, 3.4.0, 0.17.0, 0.0.0-20231218163308-9d2ee975ef9f
Disclosed
2023

Summary

Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Warning: To take effect, both the client and server must support this countermeasure. As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. Details The SSH specifications of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC ([email protected] MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSHMSGEXTINFO sent after the first message after SSHMSGNEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSHMSGIGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSHMSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see https://terrapin-attack.com. Impact This attack targets the specification of ChaCha20-Poly1305 ([email protected]) and Encrypt-then-MAC ([email protected]), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.

Impact

Severity and exposure

CVE-2023-48795 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (0.40.2, 3.4.0, 0.17.0, 0.0.0-20231218163308-9d2ee975ef9f). Upgrading removes the vulnerable code path.

Affected versions

rust

  • russh (< 0.40.2)

pip

  • paramiko (>= 2.5.0, < 3.4.0)

go

  • golang.org/x/crypto (>= 0.1.0, < 0.17.0)
  • golang.org/x/crypto (< 0.0.0-20231218163308-9d2ee975ef9f)

Security releases

  • russh → 0.40.2 (rust)
  • paramiko → 3.4.0 (pip)
  • golang.org/x/crypto → 0.17.0 (go)
  • golang.org/x/crypto → 0.0.0-20231218163308-9d2ee975ef9f (go)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's runtime-powered SCA identifies whether CVE-2023-48795 is reachable in your applications. Explore open-source security for your team.

See if CVE-2023-48795 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2023-48795 in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

  • Upgrade russh to 0.40.2 or later
  • Upgrade paramiko to 3.4.0 or later
  • Upgrade golang.org/x/crypto to 0.17.0 or later
  • Upgrade golang.org/x/crypto to 0.0.0-20231218163308-9d2ee975ef9f or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2023-48795

What is CVE-2023-48795?

CVE-2023-48795 is a medium-severity security vulnerability in russh (rust), affecting versions < 0.40.2. It is fixed in 0.40.2, 3.4.0, 0.17.0, 0.0.0-20231218163308-9d2ee975ef9f.

How severe is CVE-2023-48795?

CVE-2023-48795 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which packages are affected by CVE-2023-48795?
  • russh (rust) (versions < 0.40.2)
  • paramiko (pip) (versions >= 2.5.0, < 3.4.0)
  • golang.org/x/crypto (go) (versions >= 0.1.0, < 0.17.0)
Is there a fix for CVE-2023-48795?

Yes. CVE-2023-48795 is fixed in 0.40.2, 3.4.0, 0.17.0, 0.0.0-20231218163308-9d2ee975ef9f. Upgrade to this version or later.

Is CVE-2023-48795 exploitable, and should I be worried?

Whether CVE-2023-48795 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2023-48795 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2023-48795?
  • Upgrade russh to 0.40.2 or later
  • Upgrade paramiko to 3.4.0 or later
  • Upgrade golang.org/x/crypto to 0.17.0 or later
  • Upgrade golang.org/x/crypto to 0.0.0-20231218163308-9d2ee975ef9f or later

Stop the waste.
Protect your environment with Kodem.