From 93b30b42584cef103652b426ab62c0e8b32e2667 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Thu, 26 Sep 2024 13:15:58 -0400 Subject: [PATCH] Removed version-based CVE information. (#240) --- README.md | 4 +- src/ssh_audit/ssh_audit.py | 93 ++-------- src/ssh_audit/versionvulnerabilitydb.py | 170 ------------------ .../expected_results/openssh_4.0p1_test1.json | 113 +----------- .../expected_results/openssh_4.0p1_test1.txt | 22 --- .../expected_results/openssh_5.6p1_test1.json | 78 +------- .../expected_results/openssh_5.6p1_test1.txt | 17 -- .../expected_results/openssh_5.6p1_test2.json | 78 +------- .../expected_results/openssh_5.6p1_test2.txt | 17 -- .../expected_results/openssh_5.6p1_test3.json | 78 +------- .../expected_results/openssh_5.6p1_test3.txt | 17 -- .../expected_results/openssh_5.6p1_test4.json | 78 +------- .../expected_results/openssh_5.6p1_test4.txt | 17 -- .../expected_results/openssh_5.6p1_test5.json | 78 +------- .../expected_results/openssh_5.6p1_test5.txt | 17 -- .../expected_results/openssh_8.0p1_test1.json | 23 +-- .../expected_results/openssh_8.0p1_test1.txt | 6 - .../expected_results/openssh_8.0p1_test2.json | 23 +-- .../expected_results/openssh_8.0p1_test2.txt | 6 - .../expected_results/openssh_8.0p1_test3.json | 23 +-- .../expected_results/openssh_8.0p1_test3.txt | 6 - test/test_build_struct.py | 2 +- test/test_ssh1.py | 4 +- test/test_ssh2.py | 4 +- 24 files changed, 26 insertions(+), 948 deletions(-) delete mode 100644 src/ssh_audit/versionvulnerabilitydb.py diff --git a/README.md b/README.md index e9c3718..5ea4c0b 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,8 @@ - analyze SSH client configuration; - grab banner, recognize device or software and operating system, detect compression; - gather key-exchange, host-key, encryption and message authentication code algorithms; -- output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc); +- output algorithm security information (available since, removed/disabled, unsafe/weak/legacy, etc); - output algorithm recommendations (append or remove based on recognized software version); -- output security information (related issues, assigned CVE list, etc); - analyze SSH version compatibility based on algorithm information; - historical information from OpenSSH, Dropbear SSH and libssh; - policy scans to ensure adherence to a hardened/standard configuration; @@ -226,6 +225,7 @@ For convenience, a web front-end on top of the command-line tool is available at - Added IPv6 support for DHEat and connection rate tests. - Added TCP port information to JSON policy scan results; credit [Fabian Malte Kopp](https://github.com/dreizehnutters). - Added LANcom LCOS server recognition and Ed448 key extraction; credit [Daniel Lenski](https://github.com/dlenskiSB). + - Removed CVE information based on server/client version numbers, as this was wildly inaccurate (see [this thread](https://github.com/jtesta/ssh-audit/issues/240) for the full discussion, as well as the results of the community vote on this matter). - Fixed crash when running with `-P` and `-T` options simultaneously. - Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit [Daniel Lenski](https://github.com/dlenskiSB). - Fixed DHEat connection rate testing on MacOS X and BSD platforms; credit [Drew Noel](https://github.com/drewmnoel) and [Michael Osipov](https://github.com/michael-o). diff --git a/src/ssh_audit/ssh_audit.py b/src/ssh_audit/ssh_audit.py index e60cce9..e834ec6 100755 --- a/src/ssh_audit/ssh_audit.py +++ b/src/ssh_audit/ssh_audit.py @@ -61,7 +61,6 @@ from ssh_audit.ssh2_kex import SSH2_Kex from ssh_audit.ssh2_kexdb import SSH2_KexDB from ssh_audit.ssh_socket import SSH_Socket from ssh_audit.utils import Utils -from ssh_audit.versionvulnerabilitydb import VersionVulnerabilityDB # no_idna_workaround = False @@ -273,65 +272,18 @@ def output_compatibility(out: OutputBuffer, algs: Algorithms, client_audit: bool out.good('(gen) compatibility: ' + ', '.join(comp_text)) -def output_security_sub(out: OutputBuffer, sub: str, software: Optional[Software], client_audit: bool, padlen: int) -> List[Dict[str, Union[str, float]]]: - ret: List[Dict[str, Union[str, float]]] = [] - - secdb = VersionVulnerabilityDB.CVE if sub == 'cve' else VersionVulnerabilityDB.TXT - if software is None or software.product not in secdb: - return ret - for line in secdb[software.product]: - vfrom: str = '' - vtill: str = '' - vfrom, vtill = line[0:2] - if not software.between_versions(vfrom, vtill): - continue - target: int = 0 - name: str = '' - target, name = line[2:4] - is_server = target & 1 == 1 - is_client = target & 2 == 2 - # is_local = target & 4 == 4 - - # If this security entry applies only to servers, but we're testing a client, then skip it. Similarly, skip entries that apply only to clients, but we're testing a server. - if (is_server and not is_client and client_audit) or (is_client and not is_server and not client_audit): - continue - p = '' if out.batch else ' ' * (padlen - len(name)) - if sub == 'cve': - cvss: float = 0.0 - descr: str = '' - cvss, descr = line[4:6] - - # Critical CVSS scores (>= 8.0) are printed as a fail, otherwise they are printed as a warning. - out_func = out.warn - if cvss >= 8.0: - out_func = out.fail - out_func('(cve) {}{} -- (CVSSv2: {}) {}'.format(name, p, cvss, descr)) - ret.append({'name': name, 'cvssv2': cvss, 'description': descr}) - else: - descr = line[4] - out.fail('(sec) {}{} -- {}'.format(name, p, descr)) - - return ret - - -def output_security(out: OutputBuffer, banner: Optional[Banner], client_audit: bool, padlen: int, is_json_output: bool) -> List[Dict[str, Union[str, float]]]: - cves = [] +def output_security(out: OutputBuffer, banner: Optional[Banner], padlen: int, is_json_output: bool) -> None: with out: - if banner is not None: - software = Software.parse(banner) - cves = output_security_sub(out, 'cve', software, client_audit, padlen) - _ = output_security_sub(out, 'txt', software, client_audit, padlen) - if banner.protocol[0] == 1: - p = '' if out.batch else ' ' * (padlen - 14) - out.fail('(sec) SSH v1 enabled{} -- SSH v1 can be exploited to recover plaintext passwords'.format(p)) + if (banner is not None) and (banner.protocol[0] == 1): + p = '' if out.batch else ' ' * (padlen - 14) + out.fail('(sec) SSH v1 enabled{} -- SSH v1 can be exploited to recover plaintext passwords'.format(p)) + if not out.is_section_empty() and not is_json_output: out.head('# security') out.flush_section() out.sep() - return cves - def output_fingerprints(out: OutputBuffer, algs: Algorithms, is_json_output: bool) -> None: with out: @@ -384,31 +336,6 @@ def output_fingerprints(out: OutputBuffer, algs: Algorithms, is_json_output: boo def output_recommendations(out: OutputBuffer, algs: Algorithms, algorithm_recommendation_suppress_list: List[str], software: Optional[Software], is_json_output: bool, padlen: int = 0) -> bool: ret = True - # PuTTY's algorithms cannot be modified, so there's no point in issuing recommendations. - if (software is not None) and (software.product == Product.PuTTY): - max_vuln_version = 0.0 - max_cvssv2_severity = 0.0 - # Search the CVE database for the most recent vulnerable version and the max CVSSv2 score. - for cve_list in VersionVulnerabilityDB.CVE['PuTTY']: - vuln_version = float(cve_list[1]) - cvssv2_severity = cve_list[4] - max_vuln_version = max(vuln_version, max_vuln_version) - max_cvssv2_severity = max(cvssv2_severity, max_cvssv2_severity) - - fn = out.warn - if max_cvssv2_severity > 8.0: - fn = out.fail - - # Assuming that PuTTY versions will always increment by 0.01, we can calculate the first safe version by adding 0.01 to the latest vulnerable version. - current_version = float(software.version) - upgrade_to_version = max_vuln_version + 0.01 - if current_version < upgrade_to_version: - out.head('# recommendations') - fn('(rec) Upgrade to PuTTY v%.2f' % upgrade_to_version) - out.sep() - ret = False - return ret - level_to_output = { "informational": out.good, "warning": out.warn, @@ -694,7 +621,7 @@ def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header out.flush_section() out.sep() maxlen = algs.maxlen + 1 - cves = output_security(out, banner, client_audit, maxlen, aconf.json) + output_security(out, banner, maxlen, aconf.json) # Filled in by output_algorithms() with unidentified algs. unknown_algorithms: List[str] = [] @@ -729,7 +656,7 @@ def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header if aconf.json: out.reset() # Build & write the JSON struct. - out.info(json.dumps(build_struct(aconf.host + ":" + str(aconf.port), banner, cves, kex=kex, client_host=client_host, software=software, algorithms=algs, algorithm_recommendation_suppress_list=algorithm_recommendation_suppress_list, additional_notes=additional_notes), indent=4 if aconf.json_print_indent else None, sort_keys=True)) + out.info(json.dumps(build_struct(aconf.host + ":" + str(aconf.port), banner, kex=kex, client_host=client_host, software=software, algorithms=algs, algorithm_recommendation_suppress_list=algorithm_recommendation_suppress_list, additional_notes=additional_notes), indent=4 if aconf.json_print_indent else None, sort_keys=True)) elif len(unknown_algorithms) > 0: # If we encountered any unknown algorithms, ask the user to report them. out.warn("\n\n!!! WARNING: unknown algorithm(s) found!: %s. If this is the latest version of ssh-audit (see ), please create a new Github issue at with the full output above.\n" % ','.join(unknown_algorithms)) @@ -1078,7 +1005,7 @@ def process_commandline(out: OutputBuffer, args: List[str], usage_cb: Callable[. return aconf -def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[str, Union[str, float]]], kex: Optional['SSH2_Kex'] = None, pkm: Optional['SSH1_PublicKeyMessage'] = None, client_host: Optional[str] = None, software: Optional[Software] = None, algorithms: Optional[Algorithms] = None, algorithm_recommendation_suppress_list: Optional[List[str]] = None, additional_notes: List[str] = []) -> Any: # pylint: disable=dangerous-default-value +def build_struct(target_host: str, banner: Optional['Banner'], kex: Optional['SSH2_Kex'] = None, pkm: Optional['SSH1_PublicKeyMessage'] = None, client_host: Optional[str] = None, software: Optional[Software] = None, algorithms: Optional[Algorithms] = None, algorithm_recommendation_suppress_list: Optional[List[str]] = None, additional_notes: List[str] = []) -> Any: # pylint: disable=dangerous-default-value def fetch_notes(algorithm: str, alg_type: str) -> Dict[str, List[Optional[str]]]: '''Returns a dictionary containing the messages in the "fail", "warn", and "info" levels for this algorithm.''' @@ -1240,8 +1167,8 @@ def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[s 'fp': pkm_fp, }] - # Add in the CVE information. - res['cves'] = cves + # Historically, CVE information was returned. Now we'll just return an empty dictionary so as to not break any legacy clients. + res['cves'] = [] # Add in the recommendations. res['recommendations'] = get_algorithm_recommendations(algorithms, algorithm_recommendation_suppress_list, software, for_server=True) diff --git a/src/ssh_audit/versionvulnerabilitydb.py b/src/ssh_audit/versionvulnerabilitydb.py deleted file mode 100644 index 782f3bf..0000000 --- a/src/ssh_audit/versionvulnerabilitydb.py +++ /dev/null @@ -1,170 +0,0 @@ -""" - The MIT License (MIT) - - Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com) - Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) - - Permission is hereby granted, free of charge, to any person obtaining a copy - of this software and associated documentation files (the "Software"), to deal - in the Software without restriction, including without limitation the rights - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - copies of the Software, and to permit persons to whom the Software is - furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in - all copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - THE SOFTWARE. -""" -# pylint: disable=unused-import -from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 -from typing import Callable, Optional, Union, Any # noqa: F401 - - -class VersionVulnerabilityDB: # pylint: disable=too-few-public-methods - # Format: [starting_vuln_version, last_vuln_version, affected, CVE_ID, CVSSv2, description] - # affected: 1 = server, 2 = client, 4 = local - # Example: if it affects servers, both remote & local, then affected - # = 1. If it affects servers, but is a local issue only, - # then affected = 1 + 4 = 5. - CVE: Dict[str, List[List[Any]]] = { - 'Dropbear SSH': [ - ['0.0', '2020.81', 2, 'CVE-2021-36369', 7.5, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'], - ['0.0', '2018.76', 1, 'CVE-2018-15599', 5.0, 'remote users may enumerate users on the system'], - ['0.0', '2017.74', 5, 'CVE-2017-9079', 4.7, 'local users can read certain files as root'], - ['0.0', '2017.74', 5, 'CVE-2017-9078', 9.3, 'local users may elevate privileges to root under certain conditions'], - ['0.0', '2016.73', 5, 'CVE-2016-7409', 2.1, 'local users can read process memory under limited conditions'], - ['0.0', '2016.73', 1, 'CVE-2016-7408', 6.5, 'remote users can execute arbitrary code'], - ['0.0', '2016.73', 5, 'CVE-2016-7407', 10.0, 'local users can execute arbitrary code'], - ['0.0', '2016.73', 1, 'CVE-2016-7406', 10.0, 'remote users can execute arbitrary code'], - ['0.44', '2015.71', 1, 'CVE-2016-3116', 5.5, 'bypass command restrictions via xauth command injection'], - ['0.28', '2013.58', 1, 'CVE-2013-4434', 5.0, 'discover valid usernames through different time delays'], - ['0.28', '2013.58', 1, 'CVE-2013-4421', 5.0, 'cause DoS via a compressed packet (memory consumption)'], - ['0.52', '2011.54', 1, 'CVE-2012-0920', 7.1, 'execute arbitrary code or bypass command restrictions'], - ['0.40', '0.48.1', 1, 'CVE-2007-1099', 7.5, 'conduct a MitM attack (no warning for hostkey mismatch)'], - ['0.28', '0.47', 1, 'CVE-2006-1206', 7.5, 'cause DoS via large number of connections (slot exhaustion)'], - ['0.39', '0.47', 1, 'CVE-2006-0225', 4.6, 'execute arbitrary commands via scp with crafted filenames'], - ['0.28', '0.46', 1, 'CVE-2005-4178', 6.5, 'execute arbitrary code via buffer overflow vulnerability'], - ['0.28', '0.42', 1, 'CVE-2004-2486', 7.5, 'execute arbitrary code via DSS verification code']], - 'libssh': [ - ['0.6.4', '0.6.4', 1, 'CVE-2018-10933', 6.4, 'authentication bypass'], - ['0.7.0', '0.7.5', 1, 'CVE-2018-10933', 6.4, 'authentication bypass'], - ['0.8.0', '0.8.3', 1, 'CVE-2018-10933', 6.4, 'authentication bypass'], - ['0.1', '0.7.2', 1, 'CVE-2016-0739', 4.3, 'conduct a MitM attack (weakness in DH key generation)'], - ['0.5.1', '0.6.4', 1, 'CVE-2015-3146', 5.0, 'cause DoS via kex packets (null pointer dereference)'], - ['0.5.1', '0.6.3', 1, 'CVE-2014-8132', 5.0, 'cause DoS via kex init packet (dangling pointer)'], - ['0.4.7', '0.6.2', 1, 'CVE-2014-0017', 1.9, 'leak data via PRNG state reuse on forking servers'], - ['0.4.7', '0.5.3', 1, 'CVE-2013-0176', 4.3, 'cause DoS via kex packet (null pointer dereference)'], - ['0.4.7', '0.5.2', 1, 'CVE-2012-6063', 7.5, 'cause DoS or execute arbitrary code via sftp (double free)'], - ['0.4.7', '0.5.2', 1, 'CVE-2012-4562', 7.5, 'cause DoS or execute arbitrary code (overflow check)'], - ['0.4.7', '0.5.2', 1, 'CVE-2012-4561', 5.0, 'cause DoS via unspecified vectors (invalid pointer)'], - ['0.4.7', '0.5.2', 1, 'CVE-2012-4560', 7.5, 'cause DoS or execute arbitrary code (buffer overflow)'], - ['0.4.7', '0.5.2', 1, 'CVE-2012-4559', 6.8, 'cause DoS or execute arbitrary code (double free)']], - 'OpenSSH': [ - ['6.2', '8.7', 5, 'CVE-2021-41617', 7.0, 'privilege escalation via supplemental groups'], - ['1.0', '8.8', 2, 'CVE-2021-36368', 3.7, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'], - ['8.2', '8.4', 2, 'CVE-2021-28041', 7.1, 'double free via ssh-agent'], - ['1.0', '8.3', 5, 'CVE-2020-15778', 7.8, 'command injection via anomalous argument transfers'], - ['5.7', '8.3', 2, 'CVE-2020-14145', 5.9, 'information leak via algorithm negotiation'], - ['8.2', '8.2', 2, 'CVE-2020-12062', 7.5, 'arbitrary files overwrite via scp'], - ['7.7', '8.0', 7, 'CVE-2019-16905', 7.8, 'memory corruption and local code execution via pre-authentication integer overflow'], - ['1.0', '7.9', 2, 'CVE-2019-6111', 5.9, 'arbitrary files overwrite via scp'], - ['1.0', '7.9', 2, 'CVE-2019-6110', 6.8, 'output manipulation'], - ['1.0', '7.9', 2, 'CVE-2019-6109', 6.8, 'output manipulation'], - ['1.0', '7.9', 2, 'CVE-2018-20685', 5.3, 'directory permissions modification via scp'], - ['5.9', '7.8', 1, 'CVE-2018-15919', 5.3, 'username enumeration via GS2'], - ['1.0', '7.7', 1, 'CVE-2018-15473', 5.3, 'enumerate usernames due to timing discrepancies'], - ['1.2', '6.292', 1, 'CVE-2017-15906', 5.3, 'readonly bypass via sftp'], - ['1.0', '8.7', 1, 'CVE-2016-20012', 5.3, 'enumerate usernames via challenge response'], - ['7.2', '7.2p2', 1, 'CVE-2016-6515', 7.8, 'cause DoS via long password string (crypt CPU consumption)'], - ['1.2.2', '7.2', 1, 'CVE-2016-3115', 5.5, 'bypass command restrictions via crafted X11 forwarding data'], - ['5.4', '7.1', 1, 'CVE-2016-1907', 5.0, 'cause DoS via crafted network traffic (out of bounds read)'], - ['5.4', '7.1p1', 2, 'CVE-2016-0778', 4.6, 'cause DoS via requesting many forwardings (heap based buffer overflow)'], - ['5.0', '7.1p1', 2, 'CVE-2016-0777', 4.0, 'leak data via allowing transfer of entire buffer'], - ['6.0', '7.2p2', 5, 'CVE-2015-8325', 7.2, 'privilege escalation via triggering crafted environment'], - ['6.8', '6.9', 5, 'CVE-2015-6565', 7.2, 'cause DoS via writing to a device (terminal disruption)'], - ['5.0', '6.9', 5, 'CVE-2015-6564', 6.9, 'privilege escalation via leveraging sshd uid'], - ['5.0', '6.9', 5, 'CVE-2015-6563', 1.9, 'conduct impersonation attack'], - ['6.9p1', '6.9p1', 1, 'CVE-2015-5600', 8.5, 'cause Dos or aid in conduct brute force attack (CPU consumption)'], - ['6.0', '6.6', 1, 'CVE-2015-5352', 4.3, 'bypass access restrictions via a specific connection'], - ['6.0', '6.6', 2, 'CVE-2014-2653', 5.8, 'bypass SSHFP DNS RR check via unacceptable host certificate'], - ['5.0', '6.5', 1, 'CVE-2014-2532', 5.8, 'bypass environment restrictions via specific string before wildcard'], - ['1.2', '6.4', 1, 'CVE-2014-1692', 7.5, 'cause DoS via triggering error condition (memory corruption)'], - ['6.2', '6.3', 1, 'CVE-2013-4548', 6.0, 'bypass command restrictions via crafted packet data'], - ['1.2', '5.6', 1, 'CVE-2012-0814', 3.5, 'leak data via debug messages'], - ['1.2', '5.8', 1, 'CVE-2011-5000', 3.5, 'cause DoS via large value in certain length field (memory consumption)'], - ['5.6', '5.7', 2, 'CVE-2011-0539', 5.0, 'leak data or conduct hash collision attack'], - ['1.2', '6.1', 1, 'CVE-2010-5107', 5.0, 'cause DoS via large number of connections (slot exhaustion)'], - ['1.2', '5.8', 1, 'CVE-2010-4755', 4.0, 'cause DoS via crafted glob expression (CPU and memory consumption)'], - ['1.2', '5.6', 1, 'CVE-2010-4478', 7.5, 'bypass authentication check via crafted values'], - ['4.3', '4.8', 1, 'CVE-2009-2904', 6.9, 'privilege escalation via hard links to setuid programs'], - ['4.0', '5.1', 1, 'CVE-2008-5161', 2.6, 'recover plaintext data from ciphertext'], - ['1.2', '4.6', 1, 'CVE-2008-4109', 5.0, 'cause DoS via multiple login attempts (slot exhaustion)'], - ['1.2', '4.8', 1, 'CVE-2008-1657', 6.5, 'bypass command restrictions via modifying session file'], - ['1.2.2', '4.9', 1, 'CVE-2008-1483', 6.9, 'hijack forwarded X11 connections'], - ['4.0', '4.6', 1, 'CVE-2007-4752', 7.5, 'privilege escalation via causing an X client to be trusted'], - ['4.3p2', '4.3p2', 1, 'CVE-2007-3102', 4.3, 'allow attacker to write random data to audit log'], - ['1.2', '4.6', 1, 'CVE-2007-2243', 5.0, 'discover valid usernames through different responses'], - ['4.4', '4.4', 1, 'CVE-2006-5794', 7.5, 'bypass authentication'], - ['4.1', '4.1p1', 1, 'CVE-2006-5229', 2.6, 'discover valid usernames through different time delays'], - ['1.2', '4.3p2', 1, 'CVE-2006-5052', 5.0, 'discover valid usernames through different responses'], - ['1.2', '4.3p2', 1, 'CVE-2006-5051', 9.3, 'cause DoS or execute arbitrary code (double free)'], - ['4.5', '4.5', 1, 'CVE-2006-4925', 5.0, 'cause DoS via invalid protocol sequence (crash)'], - ['1.2', '4.3p2', 1, 'CVE-2006-4924', 7.8, 'cause DoS via crafted packet (CPU consumption)'], - ['3.8.1p1', '3.8.1p1', 1, 'CVE-2006-0883', 5.0, 'cause DoS via connecting multiple times (client connection refusal)'], - ['3.0', '4.2p1', 1, 'CVE-2006-0225', 4.6, 'execute arbitrary code'], - ['2.1', '4.1p1', 1, 'CVE-2005-2798', 5.0, 'leak data about authentication credentials'], - ['3.5', '3.5p1', 1, 'CVE-2004-2760', 6.8, 'leak data through different connection states'], - ['2.3', '3.7.1p2', 1, 'CVE-2004-2069', 5.0, 'cause DoS via large number of connections (slot exhaustion)'], - ['3.0', '3.4p1', 1, 'CVE-2004-0175', 4.3, 'leak data through directory traversal'], - ['1.2', '3.9p1', 1, 'CVE-2003-1562', 7.6, 'leak data about authentication credentials'], - ['3.1p1', '3.7.1p1', 1, 'CVE-2003-0787', 7.5, 'privilege escalation via modifying stack'], - ['3.1p1', '3.7.1p1', 1, 'CVE-2003-0786', 10.0, 'privilege escalation via bypassing authentication'], - ['1.0', '3.7.1', 1, 'CVE-2003-0695', 7.5, 'cause DoS or execute arbitrary code'], - ['1.0', '3.7', 1, 'CVE-2003-0693', 10.0, 'execute arbitrary code'], - ['3.0', '3.6.1p2', 1, 'CVE-2003-0386', 7.5, 'bypass address restrictions for connection'], - ['3.1p1', '3.6.1p1', 1, 'CVE-2003-0190', 5.0, 'discover valid usernames through different time delays'], - ['3.2.2', '3.2.2', 1, 'CVE-2002-0765', 7.5, 'bypass authentication'], - ['1.2.2', '3.3p1', 1, 'CVE-2002-0640', 10.0, 'execute arbitrary code'], - ['1.2.2', '3.3p1', 1, 'CVE-2002-0639', 10.0, 'execute arbitrary code'], - ['2.1', '3.2', 1, 'CVE-2002-0575', 7.5, 'privilege escalation'], - ['2.1', '3.0.2p1', 2, 'CVE-2002-0083', 10.0, 'privilege escalation'], - ['3.0', '3.0p1', 1, 'CVE-2001-1507', 7.5, 'bypass authentication'], - ['1.2.3', '3.0.1p1', 5, 'CVE-2001-0872', 7.2, 'privilege escalation via crafted environment variables'], - ['1.2.3', '2.1.1', 1, 'CVE-2001-0361', 4.0, 'recover plaintext from ciphertext'], - ['1.2', '2.1', 1, 'CVE-2000-0525', 10.0, 'execute arbitrary code (improper privileges)']], - 'PuTTY': [ - # info for CVE-2021-36367 - only PuTTY up to 0.71 is affected - see https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/reject-trivial-auth.html - ['0.0', '0.71', 2, 'CVE-2021-36367', 8.1, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'], - ['0.0', '0.74', 2, 'CVE-2021-33500', 5.0, 'denial of service of the complete windows desktop'], - ['0.68', '0.73', 2, 'CVE-2020-14002', 4.3, 'Observable Discrepancy which allows man-in-the-middle attackers to target initial connection attempts'], - ['0.54', '0.73', 2, 'CVE-2020-XXXX', 5.0, 'out of bounds memory read'], - ['0.0', '0.72', 2, 'CVE-2019-17069', 5.0, 'potential DOS by remote SSHv1 server'], - ['0.71', '0.72', 2, 'CVE-2019-17068', 5.0, 'xterm bracketed paste mode command injection'], - ['0.52', '0.72', 2, 'CVE-2019-17067', 7.5, 'port rebinding weakness in port forward tunnel handling'], - ['0.0', '0.71', 2, 'CVE-2019-XXXX', 5.0, 'undefined vulnerability in obsolete SSHv1 protocol handling'], - ['0.0', '0.71', 6, 'CVE-2019-XXXX', 5.0, 'local privilege escalation in Pageant'], - ['0.0', '0.70', 2, 'CVE-2019-9898', 7.5, 'potential recycling of random numbers'], - ['0.0', '0.70', 2, 'CVE-2019-9897', 5.0, 'multiple denial-of-service issues from writing to the terminal'], - ['0.0', '0.70', 6, 'CVE-2019-9896', 4.6, 'local application hijacking through malicious Windows help file'], - ['0.0', '0.70', 2, 'CVE-2019-9894', 6.4, 'buffer overflow in RSA key exchange'], - ['0.0', '0.69', 6, 'CVE-2016-6167', 4.4, 'local application hijacking through untrusted DLL loading'], - ['0.0', '0.67', 2, 'CVE-2017-6542', 7.5, 'buffer overflow in UNIX client that can result in privilege escalation or denial-of-service'], - ['0.0', '0.66', 2, 'CVE-2016-2563', 7.5, 'buffer overflow in SCP command-line utility'], - ['0.0', '0.65', 2, 'CVE-2015-5309', 4.3, 'integer overflow in terminal-handling code'], - ] - } - TXT: Dict[str, List[List[Any]]] = { - 'Dropbear SSH': [ - ['0.28', '0.34', 1, 'remote root exploit', 'remote format string buffer overflow exploit (exploit-db#387)']], - 'libssh': [ - ['0.3.3', '0.3.3', 1, 'null pointer check', 'missing null pointer check in "crypt_set_algorithms_server"'], - ['0.3.3', '0.3.3', 1, 'integer overflow', 'integer overflow in "buffer_get_data"'], - ['0.3.3', '0.3.3', 3, 'heap overflow', 'heap overflow in "packet_decrypt"']] - } diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json index aaa7267..fb77e34 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.json +++ b/test/docker/expected_results/openssh_4.0p1_test1.json @@ -10,118 +10,7 @@ "none", "zlib" ], - "cves": [ - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames due to timing discrepancies", - "name": "CVE-2018-15473" - }, - { - "cvssv2": 5.3, - "description": "readonly bypass via sftp", - "name": "CVE-2017-15906" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - }, - { - "cvssv2": 5.5, - "description": "bypass command restrictions via crafted X11 forwarding data", - "name": "CVE-2016-3115" - }, - { - "cvssv2": 7.5, - "description": "cause DoS via triggering error condition (memory corruption)", - "name": "CVE-2014-1692" - }, - { - "cvssv2": 3.5, - "description": "leak data via debug messages", - "name": "CVE-2012-0814" - }, - { - "cvssv2": 3.5, - "description": "cause DoS via large value in certain length field (memory consumption)", - "name": "CVE-2011-5000" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via large number of connections (slot exhaustion)", - "name": "CVE-2010-5107" - }, - { - "cvssv2": 4.0, - "description": "cause DoS via crafted glob expression (CPU and memory consumption)", - "name": "CVE-2010-4755" - }, - { - "cvssv2": 7.5, - "description": "bypass authentication check via crafted values", - "name": "CVE-2010-4478" - }, - { - "cvssv2": 2.6, - "description": "recover plaintext data from ciphertext", - "name": "CVE-2008-5161" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via multiple login attempts (slot exhaustion)", - "name": "CVE-2008-4109" - }, - { - "cvssv2": 6.5, - "description": "bypass command restrictions via modifying session file", - "name": "CVE-2008-1657" - }, - { - "cvssv2": 6.9, - "description": "hijack forwarded X11 connections", - "name": "CVE-2008-1483" - }, - { - "cvssv2": 7.5, - "description": "privilege escalation via causing an X client to be trusted", - "name": "CVE-2007-4752" - }, - { - "cvssv2": 5.0, - "description": "discover valid usernames through different responses", - "name": "CVE-2007-2243" - }, - { - "cvssv2": 5.0, - "description": "discover valid usernames through different responses", - "name": "CVE-2006-5052" - }, - { - "cvssv2": 9.3, - "description": "cause DoS or execute arbitrary code (double free)", - "name": "CVE-2006-5051" - }, - { - "cvssv2": 7.8, - "description": "cause DoS via crafted packet (CPU consumption)", - "name": "CVE-2006-4924" - }, - { - "cvssv2": 4.6, - "description": "execute arbitrary code", - "name": "CVE-2006-0225" - }, - { - "cvssv2": 5.0, - "description": "leak data about authentication credentials", - "name": "CVE-2005-2798" - } - ], + "cves": [], "enc": [ { "algorithm": "aes128-cbc", diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt index 4810a47..84a9629 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.txt +++ b/test/docker/expected_results/openssh_4.0p1_test1.txt @@ -6,28 +6,6 @@ (gen) compression: enabled (zlib) # security -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies -(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response -(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data -(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) -(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages -(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) -(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) -(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) -(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values -(cve) CVE-2008-5161 -- (CVSSv2: 2.6) recover plaintext data from ciphertext -(cve) CVE-2008-4109 -- (CVSSv2: 5.0) cause DoS via multiple login attempts (slot exhaustion) -(cve) CVE-2008-1657 -- (CVSSv2: 6.5) bypass command restrictions via modifying session file -(cve) CVE-2008-1483 -- (CVSSv2: 6.9) hijack forwarded X11 connections -(cve) CVE-2007-4752 -- (CVSSv2: 7.5) privilege escalation via causing an X client to be trusted -(cve) CVE-2007-2243 -- (CVSSv2: 5.0) discover valid usernames through different responses -(cve) CVE-2006-5052 -- (CVSSv2: 5.0) discover valid usernames through different responses -(cve) CVE-2006-5051 -- (CVSSv2: 9.3) cause DoS or execute arbitrary code (double free) -(cve) CVE-2006-4924 -- (CVSSv2: 7.8) cause DoS via crafted packet (CPU consumption) -(cve) CVE-2006-0225 -- (CVSSv2: 4.6) execute arbitrary code -(cve) CVE-2005-2798 -- (CVSSv2: 5.0) leak data about authentication credentials (sec) SSH v1 enabled -- SSH v1 can be exploited to recover plaintext passwords # key exchange algorithms diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json index d0082da..715c3d5 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.json +++ b/test/docker/expected_results/openssh_5.6p1_test1.json @@ -10,83 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames due to timing discrepancies", - "name": "CVE-2018-15473" - }, - { - "cvssv2": 5.3, - "description": "readonly bypass via sftp", - "name": "CVE-2017-15906" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - }, - { - "cvssv2": 5.5, - "description": "bypass command restrictions via crafted X11 forwarding data", - "name": "CVE-2016-3115" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via crafted network traffic (out of bounds read)", - "name": "CVE-2016-1907" - }, - { - "cvssv2": 6.9, - "description": "privilege escalation via leveraging sshd uid", - "name": "CVE-2015-6564" - }, - { - "cvssv2": 1.9, - "description": "conduct impersonation attack", - "name": "CVE-2015-6563" - }, - { - "cvssv2": 5.8, - "description": "bypass environment restrictions via specific string before wildcard", - "name": "CVE-2014-2532" - }, - { - "cvssv2": 7.5, - "description": "cause DoS via triggering error condition (memory corruption)", - "name": "CVE-2014-1692" - }, - { - "cvssv2": 3.5, - "description": "leak data via debug messages", - "name": "CVE-2012-0814" - }, - { - "cvssv2": 3.5, - "description": "cause DoS via large value in certain length field (memory consumption)", - "name": "CVE-2011-5000" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via large number of connections (slot exhaustion)", - "name": "CVE-2010-5107" - }, - { - "cvssv2": 4.0, - "description": "cause DoS via crafted glob expression (CPU and memory consumption)", - "name": "CVE-2010-4755" - }, - { - "cvssv2": 7.5, - "description": "bypass authentication check via crafted values", - "name": "CVE-2010-4478" - } - ], + "cves": [], "enc": [ { "algorithm": "aes128-ctr", diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt index 601dc39..73756c6 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.txt +++ b/test/docker/expected_results/openssh_5.6p1_test1.txt @@ -4,23 +4,6 @@ (gen) compatibility: OpenSSH 4.7-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies -(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response -(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data -(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) -(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid -(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack -(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard -(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) -(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages -(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) -(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) -(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) -(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values - # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 4.4 diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json index cbaa58b..8e77280 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.json +++ b/test/docker/expected_results/openssh_5.6p1_test2.json @@ -10,83 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames due to timing discrepancies", - "name": "CVE-2018-15473" - }, - { - "cvssv2": 5.3, - "description": "readonly bypass via sftp", - "name": "CVE-2017-15906" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - }, - { - "cvssv2": 5.5, - "description": "bypass command restrictions via crafted X11 forwarding data", - "name": "CVE-2016-3115" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via crafted network traffic (out of bounds read)", - "name": "CVE-2016-1907" - }, - { - "cvssv2": 6.9, - "description": "privilege escalation via leveraging sshd uid", - "name": "CVE-2015-6564" - }, - { - "cvssv2": 1.9, - "description": "conduct impersonation attack", - "name": "CVE-2015-6563" - }, - { - "cvssv2": 5.8, - "description": "bypass environment restrictions via specific string before wildcard", - "name": "CVE-2014-2532" - }, - { - "cvssv2": 7.5, - "description": "cause DoS via triggering error condition (memory corruption)", - "name": "CVE-2014-1692" - }, - { - "cvssv2": 3.5, - "description": "leak data via debug messages", - "name": "CVE-2012-0814" - }, - { - "cvssv2": 3.5, - "description": "cause DoS via large value in certain length field (memory consumption)", - "name": "CVE-2011-5000" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via large number of connections (slot exhaustion)", - "name": "CVE-2010-5107" - }, - { - "cvssv2": 4.0, - "description": "cause DoS via crafted glob expression (CPU and memory consumption)", - "name": "CVE-2010-4755" - }, - { - "cvssv2": 7.5, - "description": "bypass authentication check via crafted values", - "name": "CVE-2010-4478" - } - ], + "cves": [], "enc": [ { "algorithm": "aes128-ctr", diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt index 6b3b975..f984d14 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.txt +++ b/test/docker/expected_results/openssh_5.6p1_test2.txt @@ -4,23 +4,6 @@ (gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies -(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response -(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data -(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) -(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid -(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack -(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard -(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) -(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages -(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) -(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) -(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) -(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values - # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 4.4 diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json index a4ddada..96245bd 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.json +++ b/test/docker/expected_results/openssh_5.6p1_test3.json @@ -10,83 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames due to timing discrepancies", - "name": "CVE-2018-15473" - }, - { - "cvssv2": 5.3, - "description": "readonly bypass via sftp", - "name": "CVE-2017-15906" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - }, - { - "cvssv2": 5.5, - "description": "bypass command restrictions via crafted X11 forwarding data", - "name": "CVE-2016-3115" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via crafted network traffic (out of bounds read)", - "name": "CVE-2016-1907" - }, - { - "cvssv2": 6.9, - "description": "privilege escalation via leveraging sshd uid", - "name": "CVE-2015-6564" - }, - { - "cvssv2": 1.9, - "description": "conduct impersonation attack", - "name": "CVE-2015-6563" - }, - { - "cvssv2": 5.8, - "description": "bypass environment restrictions via specific string before wildcard", - "name": "CVE-2014-2532" - }, - { - "cvssv2": 7.5, - "description": "cause DoS via triggering error condition (memory corruption)", - "name": "CVE-2014-1692" - }, - { - "cvssv2": 3.5, - "description": "leak data via debug messages", - "name": "CVE-2012-0814" - }, - { - "cvssv2": 3.5, - "description": "cause DoS via large value in certain length field (memory consumption)", - "name": "CVE-2011-5000" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via large number of connections (slot exhaustion)", - "name": "CVE-2010-5107" - }, - { - "cvssv2": 4.0, - "description": "cause DoS via crafted glob expression (CPU and memory consumption)", - "name": "CVE-2010-4755" - }, - { - "cvssv2": 7.5, - "description": "bypass authentication check via crafted values", - "name": "CVE-2010-4478" - } - ], + "cves": [], "enc": [ { "algorithm": "aes128-ctr", diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt index 991c502..3a916b3 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.txt +++ b/test/docker/expected_results/openssh_5.6p1_test3.txt @@ -4,23 +4,6 @@ (gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies -(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response -(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data -(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) -(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid -(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack -(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard -(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) -(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages -(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) -(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) -(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) -(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values - # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 4.4 diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json index bba034c..176ecd3 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.json +++ b/test/docker/expected_results/openssh_5.6p1_test4.json @@ -10,83 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames due to timing discrepancies", - "name": "CVE-2018-15473" - }, - { - "cvssv2": 5.3, - "description": "readonly bypass via sftp", - "name": "CVE-2017-15906" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - }, - { - "cvssv2": 5.5, - "description": "bypass command restrictions via crafted X11 forwarding data", - "name": "CVE-2016-3115" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via crafted network traffic (out of bounds read)", - "name": "CVE-2016-1907" - }, - { - "cvssv2": 6.9, - "description": "privilege escalation via leveraging sshd uid", - "name": "CVE-2015-6564" - }, - { - "cvssv2": 1.9, - "description": "conduct impersonation attack", - "name": "CVE-2015-6563" - }, - { - "cvssv2": 5.8, - "description": "bypass environment restrictions via specific string before wildcard", - "name": "CVE-2014-2532" - }, - { - "cvssv2": 7.5, - "description": "cause DoS via triggering error condition (memory corruption)", - "name": "CVE-2014-1692" - }, - { - "cvssv2": 3.5, - "description": "leak data via debug messages", - "name": "CVE-2012-0814" - }, - { - "cvssv2": 3.5, - "description": "cause DoS via large value in certain length field (memory consumption)", - "name": "CVE-2011-5000" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via large number of connections (slot exhaustion)", - "name": "CVE-2010-5107" - }, - { - "cvssv2": 4.0, - "description": "cause DoS via crafted glob expression (CPU and memory consumption)", - "name": "CVE-2010-4755" - }, - { - "cvssv2": 7.5, - "description": "bypass authentication check via crafted values", - "name": "CVE-2010-4478" - } - ], + "cves": [], "enc": [ { "algorithm": "aes128-ctr", diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt index 2fb3e19..ff8a635 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.txt +++ b/test/docker/expected_results/openssh_5.6p1_test4.txt @@ -4,23 +4,6 @@ (gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies -(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response -(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data -(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) -(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid -(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack -(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard -(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) -(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages -(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) -(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) -(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) -(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values - # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 4.4 diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json index 8fb2542..7dc93eb 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.json +++ b/test/docker/expected_results/openssh_5.6p1_test5.json @@ -10,83 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames due to timing discrepancies", - "name": "CVE-2018-15473" - }, - { - "cvssv2": 5.3, - "description": "readonly bypass via sftp", - "name": "CVE-2017-15906" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - }, - { - "cvssv2": 5.5, - "description": "bypass command restrictions via crafted X11 forwarding data", - "name": "CVE-2016-3115" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via crafted network traffic (out of bounds read)", - "name": "CVE-2016-1907" - }, - { - "cvssv2": 6.9, - "description": "privilege escalation via leveraging sshd uid", - "name": "CVE-2015-6564" - }, - { - "cvssv2": 1.9, - "description": "conduct impersonation attack", - "name": "CVE-2015-6563" - }, - { - "cvssv2": 5.8, - "description": "bypass environment restrictions via specific string before wildcard", - "name": "CVE-2014-2532" - }, - { - "cvssv2": 7.5, - "description": "cause DoS via triggering error condition (memory corruption)", - "name": "CVE-2014-1692" - }, - { - "cvssv2": 3.5, - "description": "leak data via debug messages", - "name": "CVE-2012-0814" - }, - { - "cvssv2": 3.5, - "description": "cause DoS via large value in certain length field (memory consumption)", - "name": "CVE-2011-5000" - }, - { - "cvssv2": 5.0, - "description": "cause DoS via large number of connections (slot exhaustion)", - "name": "CVE-2010-5107" - }, - { - "cvssv2": 4.0, - "description": "cause DoS via crafted glob expression (CPU and memory consumption)", - "name": "CVE-2010-4755" - }, - { - "cvssv2": 7.5, - "description": "bypass authentication check via crafted values", - "name": "CVE-2010-4478" - } - ], + "cves": [], "enc": [ { "algorithm": "aes128-ctr", diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt index b9e7cd7..fddfbea 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.txt +++ b/test/docker/expected_results/openssh_5.6p1_test5.txt @@ -4,23 +4,6 @@ (gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies -(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response -(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data -(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) -(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid -(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack -(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard -(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) -(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages -(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) -(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) -(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) -(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values - # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 4.4 diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json index 2f950c1..229b39b 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.json +++ b/test/docker/expected_results/openssh_8.0p1_test1.json @@ -10,28 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.0, - "description": "privilege escalation via supplemental groups", - "name": "CVE-2021-41617" - }, - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 7.8, - "description": "memory corruption and local code execution via pre-authentication integer overflow", - "name": "CVE-2019-16905" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - } - ], + "cves": [], "enc": [ { "algorithm": "chacha20-poly1305@openssh.com", diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt index 15cdad7..c3792cd 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.txt +++ b/test/docker/expected_results/openssh_8.0p1_test1.txt @@ -4,12 +4,6 @@ (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+ (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response - # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76  `- [info] default key exchange from OpenSSH 7.4 to 8.9 diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json index 3736883..8e18b30 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.json +++ b/test/docker/expected_results/openssh_8.0p1_test2.json @@ -10,28 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.0, - "description": "privilege escalation via supplemental groups", - "name": "CVE-2021-41617" - }, - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 7.8, - "description": "memory corruption and local code execution via pre-authentication integer overflow", - "name": "CVE-2019-16905" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - } - ], + "cves": [], "enc": [ { "algorithm": "chacha20-poly1305@openssh.com", diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt index 08caf4a..7123eb3 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.txt +++ b/test/docker/expected_results/openssh_8.0p1_test2.txt @@ -4,12 +4,6 @@ (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+ (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response - # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76  `- [info] default key exchange from OpenSSH 7.4 to 8.9 diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json index 9ba52da..76bdb64 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.json +++ b/test/docker/expected_results/openssh_8.0p1_test3.json @@ -10,28 +10,7 @@ "none", "zlib@openssh.com" ], - "cves": [ - { - "cvssv2": 7.0, - "description": "privilege escalation via supplemental groups", - "name": "CVE-2021-41617" - }, - { - "cvssv2": 7.8, - "description": "command injection via anomalous argument transfers", - "name": "CVE-2020-15778" - }, - { - "cvssv2": 7.8, - "description": "memory corruption and local code execution via pre-authentication integer overflow", - "name": "CVE-2019-16905" - }, - { - "cvssv2": 5.3, - "description": "enumerate usernames via challenge response", - "name": "CVE-2016-20012" - } - ], + "cves": [], "enc": [ { "algorithm": "chacha20-poly1305@openssh.com", diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt index 62d5dd4..712451a 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.txt +++ b/test/docker/expected_results/openssh_8.0p1_test3.txt @@ -4,12 +4,6 @@ (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+ (gen) compression: enabled (zlib@openssh.com) -# security -(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups -(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers -(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow -(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response - # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76  `- [info] default key exchange from OpenSSH 7.4 to 8.9 diff --git a/test/test_build_struct.py b/test/test_build_struct.py index e16baac..425d85a 100644 --- a/test/test_build_struct.py +++ b/test/test_build_struct.py @@ -36,7 +36,7 @@ def test_prevent_runtime_error_regression(ssh_audit, kex): kex.set_host_key("ssh-rsa7", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00", 1024, '', 0) kex.set_host_key("ssh-rsa8", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00", 1024, '', 0) - rv = ssh_audit.build_struct('localhost', None, [], kex=kex) + rv = ssh_audit.build_struct('localhost', None, kex=kex) assert len(rv["fingerprints"]) == (9 * 2) # Each host key generates two hash fingerprints: one using SHA256, and one using MD5. diff --git a/test/test_ssh1.py b/test/test_ssh1.py index e7000e8..bdc9b1b 100644 --- a/test/test_ssh1.py +++ b/test/test_ssh1.py @@ -139,7 +139,7 @@ class TestSSH1: self.audit(out, self._conf()) out.write() lines = output_spy.flush() - assert len(lines) == 21 + assert len(lines) == 13 def test_ssh1_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket @@ -154,7 +154,7 @@ class TestSSH1: out.write() assert ret != 0 lines = output_spy.flush() - assert len(lines) == 14 + assert len(lines) == 6 assert 'unknown message' in lines[-1] def test_ssh1_server_invalid_checksum(self, output_spy, virtual_socket): diff --git a/test/test_ssh2.py b/test/test_ssh2.py index f610310..2c1a636 100644 --- a/test/test_ssh2.py +++ b/test/test_ssh2.py @@ -165,7 +165,7 @@ class TestSSH2: self.audit(out, self._conf()) out.write() lines = output_spy.flush() - assert len(lines) == 83 + assert len(lines) == 78 def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket @@ -179,7 +179,7 @@ class TestSSH2: out.write() assert ret != 0 lines = output_spy.flush() - assert len(lines) == 9 + assert len(lines) == 4 assert 'unknown message' in lines[-1] def test_ssh2_gss_kex(self, output_spy, virtual_socket):