In short: no. Any piece of software that implements SSH (library (e.g. python’s paramiko), client application (e.g. PuTTy), server application (e.g. OpenSSH Server), etc.) is potentially vulnerable.
In medium: It affects any application or library that implements the SSH protocol and offers either the ChaCha20-poly1305 encryption algorithm, or a chained block cipher (CBC) encryption algorithm paired with a MAC algorithm that uses Encrypt then MAC (EtM). An example of the latter would be a connection using aes256-cbc as the encryption algorithm combined with the hmac-sha2-256-etm@openssh.com mac algorithm.
If you’re using OpenSSH, you can see the list of available encryption and mac algorithms with ssh -Q ciphers and ssh -Q mac respectively.
More info: There are 3 CVEs associated with Terrapin: the first, CVE-2023-48795, regards the general flaw in the SSH protocol.
The other two (CVE-2023-46445 and CVE-2023-46446) are specifically for the AsyncSSH library which, due to implementation details, has additional vulnerabilities that can be exploited on top of those made available by CVE-2023-48795.
So only OpenSSH?
In short: no. Any piece of software that implements SSH (library (e.g. python’s paramiko), client application (e.g. PuTTy), server application (e.g. OpenSSH Server), etc.) is potentially vulnerable.
In medium: It affects any application or library that implements the SSH protocol and offers either the ChaCha20-poly1305 encryption algorithm, or a chained block cipher (CBC) encryption algorithm paired with a MAC algorithm that uses Encrypt then MAC (EtM). An example of the latter would be a connection using
aes256-cbcas the encryption algorithm combined with thehmac-sha2-256-etm@openssh.commac algorithm.If you’re using OpenSSH, you can see the list of available encryption and mac algorithms with
ssh -Q ciphersandssh -Q macrespectively.Sample output:
$ ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com $ ssh -Q mac hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.comMore info: There are 3 CVEs associated with Terrapin: the first, CVE-2023-48795, regards the general flaw in the SSH protocol.
The other two (CVE-2023-46445 and CVE-2023-46446) are specifically for the AsyncSSH library which, due to implementation details, has additional vulnerabilities that can be exploited on top of those made available by CVE-2023-48795.