diff --git a/docker_test.sh b/docker_test.sh index 68a2d62f..fc8cd080 100755 --- a/docker_test.sh +++ b/docker_test.sh @@ -746,7 +746,7 @@ run_openssh_test "5.6p1" "test5" "${PROGRAM_RETVAL_FAILURE}" echo run_openssh_test "8.0p1" "test1" "${PROGRAM_RETVAL_FAILURE}" run_openssh_test "8.0p1" "test2" "${PROGRAM_RETVAL_FAILURE}" -run_openssh_test "8.0p1" "test3" "${PROGRAM_RETVAL_GOOD}" +run_openssh_test "8.0p1" "test3" "${PROGRAM_RETVAL_FAILURE}" echo run_dropbear_test "2019.78" "test1" "-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key" 3 echo diff --git a/src/ssh_audit/algorithms.py b/src/ssh_audit/algorithms.py index 5f75c856..fa7ed5a7 100644 --- a/src/ssh_audit/algorithms.py +++ b/src/ssh_audit/algorithms.py @@ -179,7 +179,7 @@ def get_recommendations(self, software: Optional['Software'], for_server: bool = else: if faults == 0: continue - if n in ['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']: + if n in ['rsa-sha2-256', 'rsa-sha2-512', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']: rec[sshv][alg_type]['chg'][n] = faults else: rec[sshv][alg_type]['del'][n] = faults diff --git a/src/ssh_audit/ssh2_kexdb.py b/src/ssh_audit/ssh2_kexdb.py index 61421e1b..0159af16 100644 --- a/src/ssh_audit/ssh2_kexdb.py +++ b/src/ssh_audit/ssh2_kexdb.py @@ -51,6 +51,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods FAIL_UNKNOWN = 'using unknown algorithm' FAIL_UNPROVEN = 'using unproven algorithm' FAIL_UNTRUSTED = 'using untrusted algorithm developed in secret by a government entity' + FAIL_DHEATER = 'vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com' WARN_2048BIT_MODULUS = '2048-bit modulus only provides 112-bits of symmetric strength' WARN_BLOCK_SIZE = 'using small 64-bit block size' @@ -83,30 +84,30 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods 'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX]], 'curve448-sha512': [[]], 'curve448-sha512@libssh.org': [[]], - 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], - 'diffie-hellman-group14-sha224@ssh.com': [[]], - 'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [], [WARN_2048BIT_MODULUS]], - 'diffie-hellman-group14-sha256@ssh.com': [[], [], [WARN_2048BIT_MODULUS]], - 'diffie-hellman-group15-sha256': [[]], - 'diffie-hellman-group15-sha256@ssh.com': [[]], - 'diffie-hellman-group15-sha384@ssh.com': [[]], - 'diffie-hellman-group15-sha512': [[]], - 'diffie-hellman-group16-sha256': [[]], - 'diffie-hellman-group16-sha384@ssh.com': [[]], - 'diffie-hellman-group16-sha512': [['7.3,d2016.73']], - 'diffie-hellman-group16-sha512@ssh.com': [[]], - 'diffie-hellman-group17-sha512': [[]], - 'diffie-hellman_group17-sha512': [[]], - 'diffie-hellman-group18-sha512': [['7.3']], - 'diffie-hellman-group18-sha512@ssh.com': [[]], - 'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [], [INFO_REMOVED_IN_OPENSSH69]], - 'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS]], - 'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1]], - 'diffie-hellman-group-exchange-sha224@ssh.com': [[]], - 'diffie-hellman-group-exchange-sha256': [['4.4']], - 'diffie-hellman-group-exchange-sha256@ssh.com': [[]], - 'diffie-hellman-group-exchange-sha384@ssh.com': [[]], - 'diffie-hellman-group-exchange-sha512@ssh.com': [[]], + 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1, FAIL_DHEATER], [WARN_2048BIT_MODULUS]], + 'diffie-hellman-group14-sha224@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [FAIL_DHEATER], [WARN_2048BIT_MODULUS]], + 'diffie-hellman-group14-sha256@ssh.com': [[], [FAIL_DHEATER], [WARN_2048BIT_MODULUS]], + 'diffie-hellman-group15-sha256': [[], [FAIL_DHEATER]], + 'diffie-hellman-group15-sha256@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group15-sha384@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group15-sha512': [[], [FAIL_DHEATER]], + 'diffie-hellman-group16-sha256': [[], [FAIL_DHEATER]], + 'diffie-hellman-group16-sha384@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group16-sha512': [['7.3,d2016.73'], [FAIL_DHEATER]], + 'diffie-hellman-group16-sha512@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group17-sha512': [[], [FAIL_DHEATER]], + 'diffie-hellman_group17-sha512': [[], [FAIL_DHEATER]], + 'diffie-hellman-group18-sha512': [['7.3'], [FAIL_DHEATER]], + 'diffie-hellman-group18-sha512@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1, FAIL_DHEATER], [], [INFO_REMOVED_IN_OPENSSH69]], + 'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS, FAIL_DHEATER]], + 'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1, FAIL_DHEATER]], + 'diffie-hellman-group-exchange-sha224@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group-exchange-sha256': [['4.4'], [FAIL_DHEATER]], + 'diffie-hellman-group-exchange-sha256@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group-exchange-sha384@ssh.com': [[], [FAIL_DHEATER]], + 'diffie-hellman-group-exchange-sha512@ssh.com': [[], [FAIL_DHEATER]], 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], diff --git a/test/docker/expected_results/dropbear_2019.78_test1.json b/test/docker/expected_results/dropbear_2019.78_test1.json index 171ab791..e32e5a1e 100644 --- a/test/docker/expected_results/dropbear_2019.78_test1.json +++ b/test/docker/expected_results/dropbear_2019.78_test1.json @@ -143,6 +143,9 @@ { "algorithm": "diffie-hellman-group14-sha256", "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ], @@ -155,7 +158,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -278,6 +282,10 @@ "name": "diffie-hellman-group14-sha1", "notes": "" }, + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + }, { "name": "ecdh-sha2-nistp256", "notes": "" @@ -328,12 +336,6 @@ "name": "twofish256-ctr", "notes": "" } - ], - "kex": [ - { - "name": "diffie-hellman-group16-sha512", - "notes": "" - } ] } }, @@ -349,12 +351,6 @@ "notes": "" } ], - "kex": [ - { - "name": "diffie-hellman-group14-sha256", - "notes": "" - } - ], "mac": [ { "name": "hmac-sha2-256", diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt index c0d5dfcf..8cf4b207 100644 --- a/test/docker/expected_results/dropbear_2019.78_test1.txt +++ b/test/docker/expected_results/dropbear_2019.78_test1.txt @@ -15,9 +15,11 @@ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 -(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength +(kex) diffie-hellman-group14-sha256 -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57 @@ -66,6 +68,7 @@ (rec) -3des-cbc -- enc algorithm to remove  (rec) -3des-ctr -- enc algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove  @@ -74,12 +77,10 @@ (rec) -hmac-sha1-96 -- mac algorithm to remove  (rec) -ssh-dss -- key algorithm to remove  (rec) -ssh-rsa -- key algorithm to remove  -(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append  (rec) +twofish128-ctr -- enc algorithm to append  (rec) +twofish256-ctr -- enc algorithm to append  (rec) -aes128-cbc -- enc algorithm to remove  (rec) -aes256-cbc -- enc algorithm to remove  -(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  (rec) -hmac-sha2-256 -- mac algorithm to remove  # additional info diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json index 603f44eb..1ebe9506 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.json +++ b/test/docker/expected_results/openssh_4.0p1_test1.json @@ -280,7 +280,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -296,7 +297,8 @@ "fail": [ "using small 1024-bit modulus", "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt index 4810a474..1329f124 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.txt +++ b/test/docker/expected_results/openssh_4.0p1_test1.txt @@ -34,11 +34,13 @@ (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json index 38035fb9..64dedb10 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.json +++ b/test/docker/expected_results/openssh_5.6p1_test1.json @@ -279,7 +279,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -295,7 +296,8 @@ "fail": [ "using small 1024-bit modulus", "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", @@ -435,14 +437,6 @@ ], "recommendations": { "critical": { - "chg": { - "kex": [ - { - "name": "diffie-hellman-group-exchange-sha256", - "notes": "increase modulus size to 3072 bits or larger" - } - ] - }, "del": { "enc": [ { @@ -486,6 +480,10 @@ { "name": "diffie-hellman-group-exchange-sha1", "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "" } ], "key": [ diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt index 601dc39b..f4b8e9b0 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.txt +++ b/test/docker/expected_results/openssh_5.6p1_test1.txt @@ -27,11 +27,13 @@ (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 @@ -105,7 +107,6 @@ (fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 # algorithm recommendations (for OpenSSH 5.6) -(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -3des-cbc -- enc algorithm to remove  (rec) -arcfour -- enc algorithm to remove  (rec) -arcfour128 -- enc algorithm to remove  @@ -113,6 +114,7 @@ (rec) -blowfish-cbc -- enc algorithm to remove  (rec) -cast128-cbc -- enc algorithm to remove  (rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  (rec) -hmac-md5 -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json index 962f3ecb..ae435374 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.json +++ b/test/docker/expected_results/openssh_5.6p1_test2.json @@ -279,7 +279,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -295,7 +296,8 @@ "fail": [ "using small 1024-bit modulus", "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", @@ -437,14 +439,6 @@ ], "recommendations": { "critical": { - "chg": { - "kex": [ - { - "name": "diffie-hellman-group-exchange-sha256", - "notes": "increase modulus size to 3072 bits or larger" - } - ] - }, "del": { "enc": [ { @@ -488,6 +482,10 @@ { "name": "diffie-hellman-group-exchange-sha1", "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "" } ], "key": [ diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt index 6b3b975a..8b52ba8b 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.txt +++ b/test/docker/expected_results/openssh_5.6p1_test2.txt @@ -27,11 +27,13 @@ (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 @@ -106,7 +108,6 @@ (fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 # algorithm recommendations (for OpenSSH 5.6) -(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -3des-cbc -- enc algorithm to remove  (rec) -arcfour -- enc algorithm to remove  (rec) -arcfour128 -- enc algorithm to remove  @@ -114,6 +115,7 @@ (rec) -blowfish-cbc -- enc algorithm to remove  (rec) -cast128-cbc -- enc algorithm to remove  (rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  (rec) -hmac-md5 -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json index 586e06bd..54c427a5 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.json +++ b/test/docker/expected_results/openssh_5.6p1_test3.json @@ -279,7 +279,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -295,7 +296,8 @@ "fail": [ "using small 1024-bit modulus", "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", @@ -436,14 +438,6 @@ ], "recommendations": { "critical": { - "chg": { - "kex": [ - { - "name": "diffie-hellman-group-exchange-sha256", - "notes": "increase modulus size to 3072 bits or larger" - } - ] - }, "del": { "enc": [ { @@ -487,6 +481,10 @@ { "name": "diffie-hellman-group-exchange-sha1", "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "" } ], "key": [ diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt index 991c5027..89aab878 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.txt +++ b/test/docker/expected_results/openssh_5.6p1_test3.txt @@ -27,11 +27,13 @@ (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 @@ -105,7 +107,6 @@ (fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 # algorithm recommendations (for OpenSSH 5.6) -(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -3des-cbc -- enc algorithm to remove  (rec) -arcfour -- enc algorithm to remove  (rec) -arcfour128 -- enc algorithm to remove  @@ -113,6 +114,7 @@ (rec) -blowfish-cbc -- enc algorithm to remove  (rec) -cast128-cbc -- enc algorithm to remove  (rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  (rec) -hmac-md5 -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json index c52386dc..33701491 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.json +++ b/test/docker/expected_results/openssh_5.6p1_test4.json @@ -279,7 +279,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -295,7 +296,8 @@ "fail": [ "using small 1024-bit modulus", "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", @@ -435,14 +437,6 @@ ], "recommendations": { "critical": { - "chg": { - "kex": [ - { - "name": "diffie-hellman-group-exchange-sha256", - "notes": "increase modulus size to 3072 bits or larger" - } - ] - }, "del": { "enc": [ { @@ -486,6 +480,10 @@ { "name": "diffie-hellman-group-exchange-sha1", "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "" } ], "key": [ diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt index 2fb3e193..6e87ab06 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.txt +++ b/test/docker/expected_results/openssh_5.6p1_test4.txt @@ -27,11 +27,13 @@ (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 @@ -104,7 +106,6 @@ (fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244 # algorithm recommendations (for OpenSSH 5.6) -(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -3des-cbc -- enc algorithm to remove  (rec) -arcfour -- enc algorithm to remove  (rec) -arcfour128 -- enc algorithm to remove  @@ -112,6 +113,7 @@ (rec) -blowfish-cbc -- enc algorithm to remove  (rec) -cast128-cbc -- enc algorithm to remove  (rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  (rec) -hmac-md5 -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json index 593323d3..c27750f5 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.json +++ b/test/docker/expected_results/openssh_5.6p1_test5.json @@ -279,7 +279,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -295,7 +296,8 @@ "fail": [ "using small 1024-bit modulus", "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", @@ -434,14 +436,6 @@ ], "recommendations": { "critical": { - "chg": { - "kex": [ - { - "name": "diffie-hellman-group-exchange-sha256", - "notes": "increase modulus size to 3072 bits or larger" - } - ] - }, "del": { "enc": [ { @@ -485,6 +479,10 @@ { "name": "diffie-hellman-group-exchange-sha1", "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "" } ], "key": [ diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt index b9e7cd71..8f3b333b 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.txt +++ b/test/docker/expected_results/openssh_5.6p1_test5.txt @@ -27,11 +27,13 @@ (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 @@ -103,7 +105,6 @@ (fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244 # algorithm recommendations (for OpenSSH 5.6) -(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -3des-cbc -- enc algorithm to remove  (rec) -arcfour -- enc algorithm to remove  (rec) -arcfour128 -- enc algorithm to remove  @@ -111,6 +112,7 @@ (rec) -blowfish-cbc -- enc algorithm to remove  (rec) -cast128-cbc -- enc algorithm to remove  (rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  (rec) -hmac-md5 -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json index 2dbcdb38..491a2535 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.json +++ b/test/docker/expected_results/openssh_8.0p1_test1.json @@ -160,6 +160,9 @@ "algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 4096, "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", "available since OpenSSH 4.4" @@ -169,6 +172,9 @@ { "algorithm": "diffie-hellman-group16-sha512", "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ] @@ -177,6 +183,9 @@ { "algorithm": "diffie-hellman-group18-sha512", "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "available since OpenSSH 7.3" ] @@ -185,6 +194,9 @@ { "algorithm": "diffie-hellman-group14-sha256", "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ], @@ -197,7 +209,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -378,6 +391,22 @@ "name": "diffie-hellman-group14-sha1", "notes": "" }, + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + }, + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group18-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "" + }, { "name": "ecdh-sha2-nistp256", "notes": "" @@ -415,12 +444,6 @@ }, "warning": { "del": { - "kex": [ - { - "name": "diffie-hellman-group14-sha256", - "notes": "" - } - ], "mac": [ { "name": "hmac-sha2-256", diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt index cfc28fc3..b195048b 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.txt +++ b/test/docker/expected_results/openssh_8.0p1_test1.txt @@ -21,13 +21,18 @@ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 -(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). -(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 -(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 -(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) diffie-hellman-group16-sha512 -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group18-sha512 -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [info] available since OpenSSH 7.3 +(kex) diffie-hellman-group14-sha256 -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 @@ -77,7 +82,11 @@ (fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244 # algorithm recommendations (for OpenSSH 8.0) +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  +(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove  +(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove  @@ -85,7 +94,6 @@ (rec) -hmac-sha1 -- mac algorithm to remove  (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove  (rec) -ssh-rsa -- key algorithm to remove  -(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  (rec) -hmac-sha2-256 -- mac algorithm to remove  (rec) -hmac-sha2-512 -- mac algorithm to remove  (rec) -umac-128@openssh.com -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json index da802a27..6cdc68ad 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.json +++ b/test/docker/expected_results/openssh_8.0p1_test2.json @@ -150,6 +150,9 @@ "algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 4096, "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", "available since OpenSSH 4.4" @@ -159,6 +162,9 @@ { "algorithm": "diffie-hellman-group16-sha512", "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ] @@ -167,6 +173,9 @@ { "algorithm": "diffie-hellman-group18-sha512", "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "available since OpenSSH 7.3" ] @@ -175,6 +184,9 @@ { "algorithm": "diffie-hellman-group14-sha256", "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ], @@ -187,7 +199,8 @@ "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ - "using broken SHA-1 hash algorithm" + "using broken SHA-1 hash algorithm", + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" @@ -333,6 +346,22 @@ "name": "diffie-hellman-group14-sha1", "notes": "" }, + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + }, + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group18-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "" + }, { "name": "ecdh-sha2-nistp256", "notes": "" @@ -374,12 +403,6 @@ }, "warning": { "del": { - "kex": [ - { - "name": "diffie-hellman-group14-sha256", - "notes": "" - } - ], "mac": [ { "name": "hmac-sha2-256", diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt index f365a8fb..84f7f02d 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.txt +++ b/test/docker/expected_results/openssh_8.0p1_test2.txt @@ -21,13 +21,18 @@ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 -(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). -(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 -(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 -(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) diffie-hellman-group16-sha512 -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group18-sha512 -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [info] available since OpenSSH 7.3 +(kex) diffie-hellman-group14-sha256 -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 @@ -69,7 +74,11 @@ (fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU # algorithm recommendations (for OpenSSH 8.0) +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  +(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove  +(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove  (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove  @@ -77,7 +86,6 @@ (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove  (rec) +rsa-sha2-256 -- key algorithm to append  (rec) +rsa-sha2-512 -- key algorithm to append  -(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  (rec) -hmac-sha2-256 -- mac algorithm to remove  (rec) -hmac-sha2-512 -- mac algorithm to remove  (rec) -umac-128@openssh.com -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json index 153be478..b8aa1156 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.json +++ b/test/docker/expected_results/openssh_8.0p1_test3.json @@ -117,6 +117,9 @@ "algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 4096, "notes": { + "fail": [ + "vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com" + ], "info": [ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", "available since OpenSSH 4.4" @@ -161,18 +164,18 @@ } ], "recommendations": { - "informational": { - "add": { + "critical": { + "del": { "kex": [ { - "name": "diffie-hellman-group16-sha512", - "notes": "" - }, - { - "name": "diffie-hellman-group18-sha512", + "name": "diffie-hellman-group-exchange-sha256", "notes": "" } - ], + ] + } + }, + "informational": { + "add": { "key": [ { "name": "rsa-sha2-256", diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt index f41df082..840ce2cd 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.txt +++ b/test/docker/expected_results/openssh_8.0p1_test3.txt @@ -15,8 +15,9 @@  `- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62  `- [info] default key exchange since OpenSSH 6.4 -(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [fail] vulnerable to the DHEater DOS attacks: CVE-2002-20001 and CVE-2022-40735. More info: https://dheatattack.com + `- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). # host-key algorithms (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 @@ -39,8 +40,10 @@ (fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU # algorithm recommendations (for OpenSSH 8.0) -(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append  -(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append  +(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove  (rec) +rsa-sha2-256 -- key algorithm to append  (rec) +rsa-sha2-512 -- key algorithm to append  +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/test_ssh2.py b/test/test_ssh2.py index 46748129..169b316d 100644 --- a/test/test_ssh2.py +++ b/test/test_ssh2.py @@ -164,7 +164,7 @@ def test_ssh2_server_simple(self, output_spy, virtual_socket): self.audit(out, self._conf()) out.write() lines = output_spy.flush() - assert len(lines) == 70 + assert len(lines) == 67 def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket