18 Jul Script to Mitigate macOS 13.x Terrapin SSH Vulnerability
If you have some old Mac hardware without a budget for upgrades, which is often the case in educational environments, you may find yourself running older versions of macOS that no longer receive critical security updates from Apple. This situation can leave your systems vulnerable to various threats, including the Terrapin SSH vulnerability, which specifically affects macOS 13.x systems.
To help mitigate this risk, here is a Bash script designed to patch the Terrapin SSH vulnerability on macOS 13.x systems. This script can be run safely on affected machines, providing an additional layer of security even without official updates from Apple.
Before running the script, ensure you have administrative privileges, and it’s recommended to back up your system to avoid any potential issues. Always test scripts in a controlled environment, if possible, to verify functionality and compatibility with your system configuration.
The Terrapin vulnerability (CVE-2023-48795) is a critical flaw in the SSH protocol that allows a man-in-the-middle (MITM) attacker to silently tamper with the handshake process between a client and server. Specifically, it exploits weaknesses in how SSH handles prefix truncation during key exchange and message authentication, allowing an attacker to strip or reorder messages without detection. This can lead to downgraded security settings, potentially enabling unauthorized access or weakening encryption. Importantly, the vulnerability affects the protocol itself, not just a specific implementation, meaning both the SSH client and server must be updated or configured to block vulnerable cipher suites, such as chacha20-poly1305@openssh.com. OpenSSH addressed the issue in version 9.6 by introducing stricter alignment checks and disabling affected features. Until systems are patched, mitigation involves disabling the vulnerable ciphers and enforcing secure MAC and key exchange settings.
This script mitigates a Mac running macOS 13.x from the “Terrapin” SSH vulnerability.
Here’s what it does:
- It checks if your Mac is running macOS 13 (Ventura). If not, it stops and does nothing.
- It updates your Mac’s SSH settings to block a risky encryption method that hackers could use to attack.
- It makes these changes for both connecting to other computers (SSH client) and allowing others to connect to your Mac (SSH server).
- It restarts the Mac’s remote access service (SSH) so the new settings take effect right away.
- It keeps a log of what it did in a file for your IT team to review.
#!/bin/bash
#
# This script mitigates the Terrapin SSH vulnerability on macOS by disabling the
# vulnerable cipher for both SSH client and server.
#
# Revised - 2025.06.27
#
# It can be run via Jamf Pro or manually and is safe to run repeatedly.
#
# Reference: https://frank.seesink.com/blog/how-to-mitigate-terrapin-attack-on-macos/
#
# Copyright (c) 2025 University of Utah Student Computing Labs.
# All Rights Reserved.
#
# Permission to use, copy, modify, and distribute this software and
# its documentation for any purpose and without fee is hereby granted,
# provided that the above copyright notice appears in all copies and
# that both that copyright notice and this permission notice appear
# in supporting documentation, and that the name of The University
# of Utah not be used in advertising or publicity pertaining to
# distribution of the software without specific, written prior
# permission. This software is supplied as is without expressed or
# implied warranties of any kind.
set -euo pipefail
SCRIPT_LOG="/var/log/mitigate_terrapin.log"
log_with_level()
{
local level="$1"
local message="$2"
local timestamp
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
local formatted_message="$timestamp [$level] $message"
echo "$formatted_message" | tee -a "$SCRIPT_LOG" 2>/dev/null || true
}
log()
{
log_with_level "INFO" "$1"
}
# Check for macOS 13 (Ventura) only
OS_MAJOR="$(sw_vers -productVersion | cut -d. -f1)"
if [[ "$OS_MAJOR" -ne 13 ]]; then
log_with_level "INFO" "This script is intended for macOS 13 (Ventura) only. Detected macOS version: $(sw_vers -productVersion). Exiting without changes."
exit 0
else
log_with_level "INFO" "macOS 13 (Ventura) detected. Proceeding with Terrapin mitigation."
fi
CONF_LINE="Ciphers -chacha20-poly1305@openssh.com"
CLIENT_CONF="/etc/ssh/ssh_config.d/Mitigate_Terrapin_Attack.conf"
SERVER_CONF="/etc/ssh/sshd_config.d/Mitigate_Terrapin_Attack.conf"
# Ensure directories exist
for dir in "/etc/ssh/ssh_config.d" "/etc/ssh/sshd_config.d"; do
if [[ ! -d "$dir" ]]; then
log "Creating directory: $dir"
mkdir -p "$dir"
chmod 755 "$dir"
fi
chmod 755 "$dir"
done
# Write mitigation config for client
if [[ ! -f "$CLIENT_CONF" ]] || ! grep -q "$CONF_LINE" "$CLIENT_CONF"; then
log "Writing mitigation to $CLIENT_CONF"
echo "$CONF_LINE" > "$CLIENT_CONF"
chmod 644 "$CLIENT_CONF"
else
log "$CLIENT_CONF already contains mitigation."
fi
# Write mitigation config for server
if [[ ! -f "$SERVER_CONF" ]] || ! grep -q "$CONF_LINE" "$SERVER_CONF"; then
log "Writing mitigation to $SERVER_CONF"
echo "$CONF_LINE" > "$SERVER_CONF"
chmod 644 "$SERVER_CONF"
else
log "$SERVER_CONF already contains mitigation."
fi
# Restart SSH daemon to apply server-side config (no reboot needed)
if launchctl list | grep -q com.openssh.sshd; then
log "Restarting SSH daemon (sshd) to apply mitigation..."
if launchctl kickstart -k system/com.openssh.sshd; then
log "SSH daemon restarted successfully."
else
log "WARNING: Failed to restart SSH daemon. A reboot may be required."
fi
else
log "SSH daemon not running or not found. If this is a client-only Mac, this is normal."
fi
log "Terrapin mitigation applied. New SSH connections will use the updated config."
log "A full reboot is NOT required, but is safe if you prefer."
exit 0
No Comments