Name of the Vulnerable Software and Affected Versions AsyncSSH versions 2.14.1 and earlier

Description The vulnerability allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation and downgrading connection security. This issue affects the SSH specifications of ChaCha20-Poly1305 and Encrypt-then-MAC. The attack works by injecting an arbitrary number of SSH MSG IGNORE messages during the initial key exchange and removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH MSG IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.

Recommendations To mitigate this protocol vulnerability, support for strict key exchange has been added to AsyncSSH in the patched version. As a temporary workaround, peers may also disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. It is essential to note that both the client and server must support the strict key exchange countermeasure for it to take effect. Additionally, restricting access to the vulnerable algorithms and using alternative secure algorithms can help minimize the risk of exploitation.