elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2024-11-16 13:35:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added version check for OpenSSH user enumeration (CVE-2018-15473). (#83)

Browse Source
This commit is contained in:
Joe Testa 2020-11-05 20:24:09 -05:00
parent 5c8dc5105b
commit 0d9881966c
10 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -157,6 +157,9 @@ $ docker pull positronsecurity/ssh-audit
For convenience, a web front-end on top of the command-line tool is available at [https://www.ssh-audit.com/](https://www.ssh-audit.com/).
## ChangeLog
### v2.4.0-dev (???)
- Added version check for OpenSSH user enumeration (CVE-2018-15473).
### v2.3.1 (2020-10-28)
- Now parses public key sizes for `rsa-sha2-256-cert-v01@openssh.com` and `rsa-sha2-512-cert-v01@openssh.com` host key types.
- Flag `ssh-rsa-cert-v01@openssh.com` as a failure due to SHA-1 hash.

1
src/ssh_audit/versionvulnerabilitydb.py
View File

@ -66,6 +66,7 @@ class VersionVulnerabilityDB: # pylint: disable=too-few-public-methods
['0.4.7', '0.5.2', 1, 'CVE-2012-4560', 7.5, 'cause DoS or execute arbitrary code (buffer overflow)'],
['0.4.7', '0.5.2', 1, 'CVE-2012-4559', 6.8, 'cause DoS or execute arbitrary code (double free)']],
'OpenSSH': [
['1.0', '7.7', 1, 'CVE-2018-15473', 5.3, 'enumerate usernames due to timing discrepencies'],
['7.2', '7.2p2', 1, 'CVE-2016-6515', 7.8, 'cause DoS via long password string (crypt CPU consumption)'],
['1.2.2', '7.2', 1, 'CVE-2016-3115', 5.5, 'bypass command restrictions via crafted X11 forwarding data'],
['5.4', '7.1', 1, 'CVE-2016-1907', 5.0, 'cause DoS via crafted network traffic (out of bounds read)'],

1
test/docker/expected_results/openssh_4.0p1_test1.txt
View File

@ -6,6 +6,7 @@
(gen) compression: enabled (zlib)
# security
(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies
(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages

1
test/docker/expected_results/openssh_5.6p1_test1.txt
View File

@ -5,6 +5,7 @@
(gen) compression: enabled (zlib@openssh.com)
# security
(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies
(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid

1
test/docker/expected_results/openssh_5.6p1_test2.txt
View File

@ -5,6 +5,7 @@
(gen) compression: enabled (zlib@openssh.com)
# security
(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies
(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid

1
test/docker/expected_results/openssh_5.6p1_test3.txt
View File

@ -5,6 +5,7 @@
(gen) compression: enabled (zlib@openssh.com)
# security
(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies
(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid

1
test/docker/expected_results/openssh_5.6p1_test4.txt
View File

@ -5,6 +5,7 @@
(gen) compression: enabled (zlib@openssh.com)
# security
(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies
(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid

1
test/docker/expected_results/openssh_5.6p1_test5.txt
View File

@ -5,6 +5,7 @@
(gen) compression: enabled (zlib@openssh.com)
# security
(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies
(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid

4
test/test_ssh1.py
View File

@ -134,7 +134,7 @@ class TestSSH1:
output_spy.begin()
self.audit(self._conf())
lines = output_spy.flush()
assert len(lines) == 13
assert len(lines) == 14
def test_ssh1_server_invalid_first_packet(self, output_spy, virtual_socket):
vsocket = virtual_socket
@ -147,7 +147,7 @@ class TestSSH1:
ret = self.audit(self._conf())
assert ret != 0
lines = output_spy.flush()
assert len(lines) == 7
assert len(lines) == 8
assert 'unknown message' in lines[-1]
def test_ssh1_server_invalid_checksum(self, output_spy, virtual_socket):

4
test/test_ssh2.py
View File

@ -143,7 +143,7 @@ class TestSSH2:
output_spy.begin()
self.audit(self._conf())
lines = output_spy.flush()
assert len(lines) == 67
assert len(lines) == 68
def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket):
vsocket = virtual_socket
@ -155,5 +155,5 @@ class TestSSH2:
ret = self.audit(self._conf())
assert ret != 0
lines = output_spy.flush()
assert len(lines) == 3
assert len(lines) == 4
assert 'unknown message' in lines[-1]