SSH servers vulnerable to new Terrapin attacks: Mitigating, Details & Discovery


Staff member

The new Terrapin attack is a type of security exploit that targets SSH (Secure Shell) servers. This attack takes advantage of vulnerabilities in the SSH protocol to gain unauthorized access to a server.

How the new Terrapin attack works?

A flow was found during the discovery that during the SSH integrity checks, by changing certain numbers during the connection setup, an attacker can make it look like some messages weren't sent, without SSH noticing.

Who discovered the new Terrapin attack?​

The New Terrapin attack discovered back in December 2023 by Ruhr University Bochum in Germany. It has been assigned as CVE-2023-48795. You can read more about this on RedHat.

Mitigate new Terrapin attack:​

On CentOS / RHEL-8, and CentOS / RHEL-9
You can disable the following ciphers and HMACs on RHEL-8 and RHEL-9:
1. [email protected]
2. [email protected]
3. [email protected]
4. [email protected]
5. [email protected]

To do this, run the following command. You can use either nano or vi, whichever you prefer.
nano /etc/crypto-policies/policies/modules/CVE-2023-48795.pmod

Paste this code:
cipher@SSH = -CHACHA20-POLY1305
ssh_etm = 0

Now, we need to apply our policy. Run the following command:
update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795

Save your changes and restart the SSH server.

You can verify that the changes are in effect by checking that the ciphers listed above are missing from both files.

For CentOS 7 / RHEL-7:
You should use strict MACs and Ciphers on CentOS 7/RHEL-7.

Use the following ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512

Update both of the following files:


If you are using DirectAdmin or cPanel, immediately fix this vulnerability; otherwise, your servers can be compromised.


Thank you so much! I have some Linux boxes and disabled the ciphers on them.

Here is an article on Terrapin. It involves three vulnerabilities: CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.