Description
The SSH transport protocol, including certain OpenSSH extensions, is susceptible to a security vulnerability known as the Terrapin attack. This flaw, present in OpenSSH versions before 9.6 and various other products, allows remote attackers to bypass integrity checks during the handshake phase. As a result, some packets may be omitted from the extension negotiation message, leading to a downgraded or disabled state of certain security features in the connection. The issue is related to the mishandling of the SSH Binary Packet Protocol (BPP) and the misuse of sequence numbers. Specifically, the attack affects the use of ChaCha20-Poly1305 and CBC with Encrypt-then-MAC encryption methods.
Mitigation
Disable the following ciphers and HMACs.
Steps
Command to check mac_algorithm [OPTIONAL before change]
nmap --script ssh2-enum-algos -sV -p 22 <PAM IP>
nmap --script ssh2-enum-algos -sV -p 2222 <PAM IP>
SSH to APPM server.
Go to "/etc/ssh/".
Edit file "sshd_config".
Add line "MACs hmac-sha2-256,hmac-sha2-512".
Append to line "Ciphers [email protected]"
Run command "service sshd restart" or "systemctl restart sshd" to restart sshd service.
Go to "/home/irass/conf".
Edit file "sshd_config".
Add line "MACs hmac-sha2-256,hmac-sha2-512".
- Append to line "Ciphers [email protected]"
- Modify the line to "AllowAgentForwarding no"
- Modify the line to "X11Forwarding no"
Login to admin console and restart irass services.
Command to check mac_algorithm [OPTIONAL after change]
nmap --script ssh2-enum-algos -sV -p 22 <PAM IP>
nmap --script ssh2-enum-algos -sV -p 2222 <PAM IP>
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article