In this paper, the authors show that as new encryption
algorithms and mitigations were added to SSH, the SSH Binary Packet
Protocol is no longer a secure channel: SSH channel integrity
(INT-PST) is broken for three widely used encryption modes. This
allows prefix truncation attacks where some encrypted packets at
the beginning of the SSH channel can be deleted without the client
or server noticing it. They demonstrate several real-world
applications of this attack. They show that they can fully break
SSH extension negotiation (RFC 8308), such that an attacker can
downgrade the public key algorithms for user authentication or turn
off a new countermeasure against keystroke timing attacks
introduced in OpenSSH 9.5. They also identified an implementation
flaw in AsyncSSH that, together with prefix truncation, allows an
attacker to redirect the victim's login into a shell controlled by
the attacker. Related proof of concept code from their github has
been added to this archive.
Read more https://packetstormsecurity.com/files/176280/Terrapin-ssh.tgz