mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-06-22 02:33:40 +02:00
Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures.
This commit is contained in:
@ -23,9 +23,21 @@
|
||||
"4096"
|
||||
],
|
||||
"mismatched_field": "Host key (rsa-sha2-512) sizes"
|
||||
},
|
||||
{
|
||||
"actual": [
|
||||
"4096"
|
||||
],
|
||||
"expected_optional": [
|
||||
""
|
||||
],
|
||||
"expected_required": [
|
||||
"3072"
|
||||
],
|
||||
"mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
|
||||
}
|
||||
],
|
||||
"host": "localhost",
|
||||
"passed": false,
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 3)"
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 4)"
|
||||
}
|
||||
|
@ -1,8 +1,12 @@
|
||||
Host: localhost:2222
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 3)
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 4)
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
|
||||
- Expected: 3072
|
||||
- Actual: 4096
|
||||
|
||||
* Host key (rsa-sha2-256) sizes did not match.
|
||||
- Expected: 4096
|
||||
- Actual: 3072
|
||||
|
@ -46,9 +46,21 @@
|
||||
"umac-128-etm@openssh.com"
|
||||
],
|
||||
"mismatched_field": "MACs"
|
||||
},
|
||||
{
|
||||
"actual": [
|
||||
"4096"
|
||||
],
|
||||
"expected_optional": [
|
||||
""
|
||||
],
|
||||
"expected_required": [
|
||||
"3072"
|
||||
],
|
||||
"mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
|
||||
}
|
||||
],
|
||||
"host": "localhost",
|
||||
"passed": false,
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 3)"
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 4)"
|
||||
}
|
||||
|
@ -1,8 +1,12 @@
|
||||
Host: localhost:2222
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 3)
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 4)
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
|
||||
- Expected: 3072
|
||||
- Actual: 4096
|
||||
|
||||
* Host key (rsa-sha2-256) sizes did not match.
|
||||
- Expected: 4096
|
||||
- Actual: 3072
|
||||
|
@ -38,6 +38,9 @@
|
||||
"info": [
|
||||
"default cipher since OpenSSH 6.9",
|
||||
"available since OpenSSH 6.5"
|
||||
],
|
||||
"warn": [
|
||||
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -415,6 +418,12 @@
|
||||
},
|
||||
"warning": {
|
||||
"del": {
|
||||
"enc": [
|
||||
{
|
||||
"name": "chacha20-poly1305@openssh.com",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"kex": [
|
||||
{
|
||||
"name": "diffie-hellman-group14-sha256",
|
||||
|
@ -43,8 +43,9 @@
|
||||
[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
[0;32m `- [info] default cipher since OpenSSH 6.9[0m
|
||||
[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m
|
||||
`- [info] available since OpenSSH 6.5
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
@ -85,6 +86,7 @@
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m
|
||||
|
@ -38,6 +38,9 @@
|
||||
"info": [
|
||||
"default cipher since OpenSSH 6.9",
|
||||
"available since OpenSSH 6.5"
|
||||
],
|
||||
"warn": [
|
||||
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -374,6 +377,12 @@
|
||||
},
|
||||
"warning": {
|
||||
"del": {
|
||||
"enc": [
|
||||
{
|
||||
"name": "chacha20-poly1305@openssh.com",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"kex": [
|
||||
{
|
||||
"name": "diffie-hellman-group14-sha256",
|
||||
|
@ -36,8 +36,9 @@
|
||||
[0;32m(key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5[0m
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
[0;32m `- [info] default cipher since OpenSSH 6.9[0m
|
||||
[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m
|
||||
`- [info] available since OpenSSH 6.5
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
@ -77,6 +78,7 @@
|
||||
[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;32m(rec) +rsa-sha2-256 -- key algorithm to append [0m
|
||||
[0;32m(rec) +rsa-sha2-512 -- key algorithm to append [0m
|
||||
[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m
|
||||
|
@ -38,6 +38,9 @@
|
||||
"info": [
|
||||
"default cipher since OpenSSH 6.9",
|
||||
"available since OpenSSH 6.5"
|
||||
],
|
||||
"warn": [
|
||||
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -184,6 +187,16 @@
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"warning": {
|
||||
"del": {
|
||||
"enc": [
|
||||
{
|
||||
"name": "chacha20-poly1305@openssh.com",
|
||||
"notes": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"target": "localhost:2222"
|
||||
|
@ -22,8 +22,9 @@
|
||||
[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
[0;32m `- [info] default cipher since OpenSSH 6.9[0m
|
||||
[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m
|
||||
`- [info] available since OpenSSH 6.5
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
[0;32m(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
@ -43,4 +44,8 @@
|
||||
[0;32m(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append [0m
|
||||
[0;32m(rec) +rsa-sha2-256 -- key algorithm to append [0m
|
||||
[0;32m(rec) +rsa-sha2-512 -- key algorithm to append [0m
|
||||
[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
|
||||
|
||||
|
@ -16,6 +16,9 @@
|
||||
"info": [
|
||||
"default cipher since OpenSSH 6.9",
|
||||
"available since OpenSSH 6.5"
|
||||
],
|
||||
"warn": [
|
||||
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -16,8 +16,9 @@
|
||||
[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
[0;32m `- [info] default cipher since OpenSSH 6.9[0m
|
||||
[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m
|
||||
`- [info] available since OpenSSH 6.5
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;33m(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode[0m
|
||||
|
Reference in New Issue
Block a user