From 0d9881966c0367e4ceb762070d9b70ab7e091731 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Thu, 5 Nov 2020 20:24:09 -0500 Subject: [PATCH] Added version check for OpenSSH user enumeration (CVE-2018-15473). (#83) --- README.md | 3 +++ src/ssh_audit/versionvulnerabilitydb.py | 1 + test/docker/expected_results/openssh_4.0p1_test1.txt | 1 + test/docker/expected_results/openssh_5.6p1_test1.txt | 1 + test/docker/expected_results/openssh_5.6p1_test2.txt | 1 + test/docker/expected_results/openssh_5.6p1_test3.txt | 1 + test/docker/expected_results/openssh_5.6p1_test4.txt | 1 + test/docker/expected_results/openssh_5.6p1_test5.txt | 1 + test/test_ssh1.py | 4 ++-- test/test_ssh2.py | 4 ++-- 10 files changed, 14 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b6034b4..f37f485 100644 --- a/README.md +++ b/README.md @@ -157,6 +157,9 @@ $ docker pull positronsecurity/ssh-audit For convenience, a web front-end on top of the command-line tool is available at [https://www.ssh-audit.com/](https://www.ssh-audit.com/). ## ChangeLog +### v2.4.0-dev (???) + - Added version check for OpenSSH user enumeration (CVE-2018-15473). + ### v2.3.1 (2020-10-28) - Now parses public key sizes for `rsa-sha2-256-cert-v01@openssh.com` and `rsa-sha2-512-cert-v01@openssh.com` host key types. - Flag `ssh-rsa-cert-v01@openssh.com` as a failure due to SHA-1 hash. diff --git a/src/ssh_audit/versionvulnerabilitydb.py b/src/ssh_audit/versionvulnerabilitydb.py index 6e61020..625e455 100644 --- a/src/ssh_audit/versionvulnerabilitydb.py +++ b/src/ssh_audit/versionvulnerabilitydb.py @@ -66,6 +66,7 @@ class VersionVulnerabilityDB: # pylint: disable=too-few-public-methods ['0.4.7', '0.5.2', 1, 'CVE-2012-4560', 7.5, 'cause DoS or execute arbitrary code (buffer overflow)'], ['0.4.7', '0.5.2', 1, 'CVE-2012-4559', 6.8, 'cause DoS or execute arbitrary code (double free)']], 'OpenSSH': [ + ['1.0', '7.7', 1, 'CVE-2018-15473', 5.3, 'enumerate usernames due to timing discrepencies'], ['7.2', '7.2p2', 1, 'CVE-2016-6515', 7.8, 'cause DoS via long password string (crypt CPU consumption)'], ['1.2.2', '7.2', 1, 'CVE-2016-3115', 5.5, 'bypass command restrictions via crafted X11 forwarding data'], ['5.4', '7.1', 1, 'CVE-2016-1907', 5.0, 'cause DoS via crafted network traffic (out of bounds read)'], diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt index 4d3d1a7..57bc67b 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.txt +++ b/test/docker/expected_results/openssh_4.0p1_test1.txt @@ -6,6 +6,7 @@ (gen) compression: enabled (zlib) # security +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies (cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data (cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) (cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt index 5ac3e37..3560317 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.txt +++ b/test/docker/expected_results/openssh_5.6p1_test1.txt @@ -5,6 +5,7 @@ (gen) compression: enabled (zlib@openssh.com) # security +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies (cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data (cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) (cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt index a9cd2d9..65a3156 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.txt +++ b/test/docker/expected_results/openssh_5.6p1_test2.txt @@ -5,6 +5,7 @@ (gen) compression: enabled (zlib@openssh.com) # security +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies (cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data (cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) (cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt index 1f34924..111e208 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.txt +++ b/test/docker/expected_results/openssh_5.6p1_test3.txt @@ -5,6 +5,7 @@ (gen) compression: enabled (zlib@openssh.com) # security +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies (cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data (cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) (cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt index 4820129..11f6a21 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.txt +++ b/test/docker/expected_results/openssh_5.6p1_test4.txt @@ -5,6 +5,7 @@ (gen) compression: enabled (zlib@openssh.com) # security +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies (cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data (cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) (cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt index ceca269..7c6213e 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.txt +++ b/test/docker/expected_results/openssh_5.6p1_test5.txt @@ -5,6 +5,7 @@ (gen) compression: enabled (zlib@openssh.com) # security +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies (cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data (cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) (cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid diff --git a/test/test_ssh1.py b/test/test_ssh1.py index fc472d8..820af5f 100644 --- a/test/test_ssh1.py +++ b/test/test_ssh1.py @@ -134,7 +134,7 @@ class TestSSH1: output_spy.begin() self.audit(self._conf()) lines = output_spy.flush() - assert len(lines) == 13 + assert len(lines) == 14 def test_ssh1_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket @@ -147,7 +147,7 @@ class TestSSH1: ret = self.audit(self._conf()) assert ret != 0 lines = output_spy.flush() - assert len(lines) == 7 + assert len(lines) == 8 assert 'unknown message' in lines[-1] def test_ssh1_server_invalid_checksum(self, output_spy, virtual_socket): diff --git a/test/test_ssh2.py b/test/test_ssh2.py index 1d8ca93..1cdfd91 100644 --- a/test/test_ssh2.py +++ b/test/test_ssh2.py @@ -143,7 +143,7 @@ class TestSSH2: output_spy.begin() self.audit(self._conf()) lines = output_spy.flush() - assert len(lines) == 67 + assert len(lines) == 68 def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket @@ -155,5 +155,5 @@ class TestSSH2: ret = self.audit(self._conf()) assert ret != 0 lines = output_spy.flush() - assert len(lines) == 3 + assert len(lines) == 4 assert 'unknown message' in lines[-1]