From d0628f6eb430a15413f840ea1a99b1659b00b21f Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Mon, 7 Oct 2024 17:41:39 -0400 Subject: [PATCH] Updated ext-info-c and ext-info-s key exchanges to include versions of OpenSSH they were first included in. (#291) --- src/ssh_audit/algorithms.py | 7 +++++-- src/ssh_audit/ssh2_kexdb.py | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/ssh_audit/algorithms.py b/src/ssh_audit/algorithms.py index 5f75c85..313e37e 100644 --- a/src/ssh_audit/algorithms.py +++ b/src/ssh_audit/algorithms.py @@ -172,8 +172,11 @@ class Algorithms: if fc > 0: faults += pow(10, 2 - i) * fc if n not in alg_list: - # Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server. - if faults > 0 or (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or empty_version: + # Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server. Also don't recommend 'ext-info-[cs]' nor 'kex-strict-[cs]-v00@openssh.com' key exchanges. + if faults > 0 or \ + (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or \ + (alg_type == 'kex' and (n.startswith('ext-info-') or n.startswith('kex-strict-'))) or \ + empty_version: continue rec[sshv][alg_type]['add'][n] = 0 else: diff --git a/src/ssh_audit/ssh2_kexdb.py b/src/ssh_audit/ssh2_kexdb.py index 7c036bc..c4b3291 100644 --- a/src/ssh_audit/ssh2_kexdb.py +++ b/src/ssh_audit/ssh2_kexdb.py @@ -160,8 +160,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods 'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN]], # sect283k1 'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1 'ecmqv-sha2': [[], [FAIL_UNPROVEN]], - 'ext-info-c': [[], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) - 'ext-info-s': [[], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) + 'ext-info-c': [['7.2'], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) + 'ext-info-s': [['9.6'], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) 'kex-strict-c-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795). 'kex-strict-s-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795).