CVE-2023-46445 in AsyncSSH (Terrapin)
Summary
by MITRE • 11/14/2023
An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/26/2026
The vulnerability identified as CVE-2023-46445 represents a critical security flaw in the AsyncSSH library version 2.14.1 and earlier, where attackers can manipulate the extension information message as defined in RFC 8308 through man-in-the-middle attacks. This issue falls under the category of rogue extension negotiation, where malicious actors can inject or modify extension parameters during SSH key exchange processes, potentially compromising the integrity of secure communications.
The technical root cause of this vulnerability lies in the insufficient validation of extension information messages during the SSH handshake process. When AsyncSSH handles extension negotiation, it fails to properly verify the authenticity and integrity of extension parameters received from remote peers. This weakness allows attackers positioned in the network path to intercept and modify the extension information message, which contains metadata about supported extensions, capabilities, and features negotiated between SSH clients and servers. The flaw specifically affects the extension info message processing logic that should validate extension parameters against known standards and expected behaviors.
From an operational perspective, this vulnerability poses significant risks to systems relying on AsyncSSH for secure remote access and automated operations. Attackers can exploit this weakness to perform various malicious activities including injecting malicious extensions, disabling security features, or redirecting connection parameters. The impact extends beyond simple data interception to potentially enabling more sophisticated attacks such as credential theft, privilege escalation, or establishment of persistent backdoors within secure environments. Organizations using AsyncSSH for automated infrastructure management, remote system administration, or secure file transfers face elevated risk of compromise.
The vulnerability demonstrates characteristics consistent with CWE-295, which addresses improper certificate validation, and aligns with ATT&CK techniques involving network infiltration and credential access. Security professionals should note that this flaw particularly affects environments where SSH is used for critical infrastructure management, as attackers can manipulate extension parameters to bypass security controls or gain unauthorized access to systems. The man-in-the-middle attack vector suggests that network traffic monitoring and interception capabilities are sufficient for exploitation, making this vulnerability particularly dangerous in environments with insufficient network security controls or where traffic is not properly encrypted end-to-end.
Organizations should immediately upgrade to AsyncSSH version 2.14.1 or later to remediate this vulnerability, as this release includes proper validation mechanisms for extension information messages. Additionally, implementing network segmentation, using strong encryption protocols, and deploying proper certificate validation controls can help mitigate the risk of exploitation. Security monitoring should include detection of anomalous extension negotiation patterns, and regular security audits should verify that SSH implementations properly validate all extension parameters received during connection establishment. The fix addresses the core issue by implementing robust validation checks that ensure extension information messages conform to established standards and cannot be manipulated by unauthorized parties during the secure communication handshake process.