Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Linux (Debian/Ubuntu).

  1. The Terrapin attack requires both ChaCha20-Poly1305 or CBC with Encrypt-then-MAC AND the use of prefix truncation during handshake.

  2. The primary fix is to update OpenSSH to a version that includes the "strict KEX" countermeasure (OpenSSH 9.6+):

    sudo apt update && sudo apt upgrade openssh-server openssh-client

  3. If an update is not yet available, mitigate by disabling the affected cipher suites in /etc/ssh/sshd_config:

    Ciphers -chacha20-poly1305@openssh.com
MACs -hmac-sha2-256-etm@openssh.com,-hmac-sha2-512-etm@openssh.com
sudo systemctl restart ssh
Back to top