Current revision updated by gbriaud3 on
Originally created by gbriaud3 on

This guide will cover how to address the Terrapin vulnerability on affected systems

Remediating Terrapin

First, you should always update OpenSSH to the most recent version and run a fw.noc scan to ensure the system is still vulnerable. The below methods should only be used if updating OpenSSH to a patched version is not possible.

You can check your current OpenSSH version by running ssh -V

OpenSSH ≥ 9.6

Systems running OpenSSH version 9.6 or later have received a patch for the Terrapin vulnerability and should be unaffected. Refer to an update-to-date fw.noc scan to confirm this.

OpenSSH ≥ 8.2

Systems running OpenSSH 8.2 up to 9.6 should use an sshd snippet to remediate the Terrapin vulnerability.

1. Create a new snippet in the sshd_config.d dir: sudo vim /etc/ssh/sshd_config.d/99-terrapin-remediation.conf
2. Add the following lines:
    - # Terrapin mitigation - YOURNAME DATE
   Ciphers -chacha20*
   MACs -*-etm*
3. Write & quit (`:wq!`)
4. Check that your configuration is valid with sshd -t . No output means everything is good.
    - If you see errors, revert your changes and follow the guide for one of the older versions of OpenSSH below.
5. Restart the ssh service with systemctl restart sshd
6. Ensure that you can log into the system as root or yourself.
7. Rescan the system from fw.noc to ensure the vulnerability was resolved.

** The following lines should be added in Ubuntu 20.04 in /etc/ssh/sshd_config.  Match all Include /etc/ssh/sshd_config.d/*.conf

 

OpenSSH ≥ 7.5

Systems running OpenSSH 7.5 up to 8.1 will need to modify the /etc/ssh/sshd_config file directly as these versions of OpenSSH do not support the "Include" keyword and therefore do not support an /etc/ssh/sshd_config.d directory.

If you are running Salt on a box, please note that running certain states, especially the util.sshd_template state, will overwrite any changes you make!

1. Open the sshd_config file for editing: sudo vim /etc/ssh/sshd_config
2. Add the following lines to the bottom of the file:
    - # Terrapin mitigation - YOURNAME DATE
   Ciphers -chacha20*
   MACs -*-etm*
3. Write & quit (`:wq!`)
4. Check that your configuration is valid with sshd -t . No output means everything is good.
    - If you see errors, revert your changes and follow the guide for one of the older versions of OpenSSH below.
5. Restart the ssh service with systemctl restart sshd
6. Ensure that you can log into the system as root or yourself.
7. Rescan the system from fw.noc to ensure the vulnerability was resolved.

OpenSSH < 7.5

Systems running OpenSSH 7.4 and below will need to modify the /etc/ssh/sshd_config file directly as these versions of OpenSSH do not support the "Include" keyword and, therefore, do not support an /etc/ssh/sshd_config.d directory. As well, 7.4 and below do not support the "Ciphers -*" or "MACs -*" format, so the full list of Ciphers and MACs must be explicitly stated.

1. Get the current list of Ciphers and MACs with: sshd -T | grep -ie "ciphers" -e "macs"
2. Copy the two lines of output. It should look something like:
    - ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    - macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
3. Open the sshd_config file for editing: sudo vim /etc/ssh/sshd_config
4. Add a comment with your name and date then append the copied lines to the bottom of the file:
    - # Terrapin mitigation - YOURNAME DATE
   ciphers chacha20...
   macs umac-64-etm...
5. Edit the copied lines to remove the chacha20* Cipher, remove any etm MACs, and correct the capitalization of the Keywords. Your final lines should look something like:
        - !! Please do not copy/paste these lines!!
    - # Terrapin mitigation - YOURNAME DATE
    - Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    - MACs hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
6. Write & quit (`:wq!`)
7. Check that your configuration is valid with sshd -t . No output means everything is good.
    - If you see errors, revert your changes. This guide does not cover other remediations, so if Terrapin cannot be remediated or patched, this may need to be noted as an exception.
8. Check the current running ssh configuration to ensure that the chacha20* ciphers and *etm* MACs no longer show: sshd -T | grep -ie "ciphers" -e "macs"
9. Restart the ssh service with systemctl restart sshd
10. Ensure you can log into the system as root or yourself.
11. Rescan the system from fw.noc to ensure the vulnerability was resolved.

Filing Categories
Identifier Categories
Specific categories