5.9

CVSS Score

Basic Information

CVE ID

CVE-2024-41909

GHSA ID

GHSA-2326-hx7g-3m9r

EPSS Score

CWE

CWE-354

Published

8/12/2024

Updated

8/12/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41909

CVE-2024-41909:
Apache MINA SSHD: integrity check bypass

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack

The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.

(GitHub Advisory)

5.9

CVSS Score

Basic Information

CVE ID

CVE-2024-41909

GHSA ID

GHSA-2326-hx7g-3m9r

EPSS Score

CWE

CWE-354

Published

8/12/2024

Updated

8/12/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.sshd:sshd-common	maven	< 2.12.0	2.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation of message integrity during key exchange (CWE-354). The Terrapin attack exploits two gaps: 1) allowing non-KEX_INIT messages during initial key exchange, and 2) not resetting sequence numbers properly. The commits show added strict KEX validation in AbstractSession (6b0fd46) and message handling tests (315739e). The handleMessage function would have previously processed messages without strict sequence validation, while resetSequenceNumbers didn't properly maintain counter integrity. These functions are central to the KEX message flow and were explicitly modified in the patch to add strict validation checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Lik* m*ny ot**r SS* impl*m*nt*tions, *p**** MIN* SS** su***r** *rom t** issu* t**t is mor* wi**ly known *s *V*-****-*****. *n *tt**k*r t**t **n int*r**pt tr***i* **tw**n *li*nt *n* s*rv*r *oul* *rop **rt*in p**k*ts *rom t** str**m, pot*nti*lly **usin

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* m*ss*** int**rity *urin* k*y *x***n** (*W*-***). T** T*rr*pin *tt**k *xploits two **ps: *) *llowin* non-K*X_INIT m*ss***s *urin* initi*l k*y *x***n**, *n* *) not r*s*ttin* s*qu*n** num**rs prop*rly.

5.9

Basic Information

Concerned about an active attack path?

CVE-2024-41909: Apache MINA SSHD: integrity check bypass

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-41909:
Apache MINA SSHD: integrity check bypass

Vulnerability Intelligence
Miggo AI