Merge 3116c2e678 into d7398baad7

README.md

@@ -221,6 +221,8 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Fixed crash when running with `-P` and `-T` options simultaneously.
  - Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit [Daniel Lenski](https://github.com/dlenskiSB).
  - Fixed DHEat connection rate testing on MacOS X and BSD platforms; credit [Drew Noel](https://github.com/drewmnoel) and [Michael Osipov](https://github.com/michael-o).
+ - Added 1 new cipher: `grasshopper-ctr128`.
+ - Added 2 new key exchanges: `mlkem768x25519-sha256`, `sntrup761x25519-sha512`.
 
 ### v3.2.0 (2024-04-22)
  - Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).

src/ssh_audit/ssh2_kexdb.py

@@ -64,11 +64,13 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
     INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9'
     INFO_DEFAULT_OPENSSH_KEX_65_TO_73 = 'default key exchange from OpenSSH 6.5 to 7.3'
     INFO_DEFAULT_OPENSSH_KEX_74_TO_89 = 'default key exchange from OpenSSH 7.4 to 8.9'
-    INFO_DEFAULT_OPENSSH_KEX_90 = 'default key exchange since OpenSSH 9.0'
+    INFO_DEFAULT_OPENSSH_KEX_90_TO_98 = 'default key exchange from OpenSSH 9.0 to 9.8'
+    INFO_DEFAULT_OPENSSH_KEX_99 = 'default key exchange since OpenSSH 9.9'
     INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8'
     INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67'
     INFO_DISABLED_IN_OPENSSH70 = 'disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
     INFO_NEVER_IMPLEMENTED_IN_OPENSSH = 'despite the @openssh.com tag, this was never implemented in OpenSSH'
+    INFO_HYBRID_PQ_X25519_KEX = 'hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm'
     INFO_REMOVED_IN_OPENSSH61 = 'removed since OpenSSH 6.1, removed from specification'
     INFO_REMOVED_IN_OPENSSH69 = 'removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9'
     INFO_REMOVED_IN_OPENSSH70 = 'removed in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
@@ -189,11 +191,13 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
             'kexguess2@matt.ucc.asn.au': [['d2013.57']],
             'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN]],
             'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN]],
+            'mlkem768x25519-sha256': [['9.9'], [], [], [INFO_HYBRID_PQ_X25519_KEX]],
             'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1]],
             'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS]],
             'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED]],
             'sntrup4591761x25519-sha512@tinyssh.org': [['8.0', '8.4'], [], [WARN_EXPERIMENTAL], [INFO_WITHDRAWN_PQ_ALG]],
-            'sntrup761x25519-sha512@openssh.com': [['8.5'], [], [], [INFO_DEFAULT_OPENSSH_KEX_90]],
+            'sntrup761x25519-sha512': [['9.9'], [], [], [INFO_DEFAULT_OPENSSH_KEX_99, INFO_HYBRID_PQ_X25519_KEX]],
+            'sntrup761x25519-sha512@openssh.com': [['8.5'], [], [], [INFO_DEFAULT_OPENSSH_KEX_90_TO_98, INFO_HYBRID_PQ_X25519_KEX]],
             'x25519-kyber-512r3-sha256-d00@amazon.com': [[]],
             'x25519-kyber512-sha512@aws.amazon.com': [[]],
         },
@@ -346,6 +350,7 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
             'des-cbc-ssh1': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
             'des-cbc@ssh.com': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
             'des': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'grasshopper-ctr128': [[], [FAIL_UNTRUSTED]],
             'idea-cbc': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]],
             'idea-cfb': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]],
             'idea-ctr': [[], [FAIL_IDEA]],

src/ssh_audit/ssh_audit.py

@@ -723,7 +723,7 @@ def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header
         # Build & write the JSON struct.
         out.info(json.dumps(build_struct(aconf.host + ":" + str(aconf.port), banner, cves, kex=kex, client_host=client_host, software=software, algorithms=algs, algorithm_recommendation_suppress_list=algorithm_recommendation_suppress_list, additional_notes=additional_notes), indent=4 if aconf.json_print_indent else None, sort_keys=True))
     elif len(unknown_algorithms) > 0:  # If we encountered any unknown algorithms, ask the user to report them.
-        out.warn("\n\n!!! WARNING: unknown algorithm(s) found!: %s.  Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at <https://github.com/jtesta/ssh-audit/issues>.\n" % ','.join(unknown_algorithms))
+        out.warn("\n\n!!! WARNING: unknown algorithm(s) found!: %s.  If this is the latest version of ssh-audit (see <https://github.com/jtesta/ssh-audit/releases>), please create a new Github issue at <https://github.com/jtesta/ssh-audit/issues> with the full output above.\n" % ','.join(unknown_algorithms))
 
     return program_retval
 

src/ssh_audit/versionvulnerabilitydb.py

@@ -35,6 +35,7 @@ class VersionVulnerabilityDB:  # pylint: disable=too-few-public-methods
     #             then affected = 1 + 4 = 5.
     CVE: Dict[str, List[List[Any]]] = {
         'Dropbear SSH': [
+            ['0.0', '2022.83', 1, 'CVE-2023-48795', 5.9, 'Terrapin attack allows bypassing integrity checks in SSH protocol'],
             ['0.0', '2020.81', 2, 'CVE-2021-36369', 7.5, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'],
             ['0.0', '2018.76', 1, 'CVE-2018-15599', 5.0, 'remote users may enumerate users on the system'],
             ['0.0', '2017.74', 5, 'CVE-2017-9079', 4.7, 'local users can read certain files as root'],
@@ -67,6 +68,13 @@ class VersionVulnerabilityDB:  # pylint: disable=too-few-public-methods
             ['0.4.7', '0.5.2',  1, 'CVE-2012-4560', 7.5, 'cause DoS or execute arbitrary code (buffer overflow)'],
             ['0.4.7', '0.5.2',  1, 'CVE-2012-4559', 6.8, 'cause DoS or execute arbitrary code (double free)']],
         'OpenSSH': [
+            ['1.0',     '9.6',     1, 'CVE-2023-51767', 7.0, 'Row hammer threat allows authentication bypass in shared DRAM'],
+            ['1.0',     '9.5',     2, 'CVE-2023-51385', 7.0, 'OS command injection through expansion tokens containing shell metacharacters'],
+            ['1.0',     '9.5',     2, 'CVE-2023-51384', 5.5, 'ssh-agent applies destination constraints only to the first PKCS#11 key'],
+            ['1.0',     '9.5',     1, 'CVE-2023-48795', 5.9, 'Terrapin attack allows bypassing integrity checks in SSH protocol'],
+            ['1.0',     '9.2',     1, 'CVE-2023-38408', 9.8, 'PKCS#11 feature has a vulnerable search path in ssh-agent, enabling remote code execution'],
+            ['8.9',     '9.2',     1, 'CVE-2023-28531', 9.8, 'ssh-add improperly adds smartcard keys to ssh-agent, bypassing intended destination restrictions'],
+            ['9.1',     '9.1',     1, 'CVE-2023-25136', 6.5, 'A double-free vulnerability allows unauthenticated remote attackers to potentially execute code by manipulating memory'],
             ['6.2',     '8.7',     5, 'CVE-2021-41617', 7.0, 'privilege escalation via supplemental groups'],
             ['1.0',     '8.8',     2, 'CVE-2021-36368', 3.7, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'],
             ['8.2',     '8.4',     2, 'CVE-2021-28041', 7.1, 'double free via ssh-agent'],
@@ -140,6 +148,8 @@ class VersionVulnerabilityDB:  # pylint: disable=too-few-public-methods
             ['1.2.3',   '2.1.1',   1, 'CVE-2001-0361',  4.0, 'recover plaintext from ciphertext'],
             ['1.2',     '2.1',     1, 'CVE-2000-0525', 10.0, 'execute arbitrary code (improper privileges)']],
         'PuTTY': [
+            ['0.68', '0.80', 2, 'CVE-2024-31497', 0.0, 'ecdsa private key recovery by malicious remote server'],
+            ['0.0',  '0.79', 2, 'CVE-2023-48795', 5.9, 'Terrapin attack allows bypassing integrity checks in SSH protocol'],
             # info for CVE-2021-36367 - only PuTTY up to 0.71 is affected - see https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/reject-trivial-auth.html
             ['0.0', '0.71', 2, 'CVE-2021-36367', 8.1, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'],
             ['0.0', '0.74', 2, 'CVE-2021-33500', 5.0, 'denial of service of the complete windows desktop'],