Skip to content

Commit

Permalink
Added test for the Terrapin vulnerability (CVE-2023-48795) (#227).
Browse files Browse the repository at this point in the history
  • Loading branch information
jtesta committed Dec 18, 2023
1 parent 46eb970 commit 8e972c5
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 5 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ For convenience, a web front-end on top of the command-line tool is available at
- In Ubuntu 22.04 client policy, moved host key types `[email protected]` and `ssh-ed25519` to the end of all certificate types.
- Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide.
- Dropped support for Python 3.7 (EOL was reached in June 2023).
- Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).

### v3.0.0 (2023-09-07)
- Results from concurrent scans against multiple hosts are no longer improperly combined; bug discovered by [Adam Russell](https://github.com/thecliguy).
Expand Down
8 changes: 6 additions & 2 deletions src/ssh_audit/ssh2_kexdb.py
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
INFO_REMOVED_IN_OPENSSH69 = 'removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9'
INFO_REMOVED_IN_OPENSSH70 = 'removed in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
INFO_WITHDRAWN_PQ_ALG = 'the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security'
INFO_EXTENSION_NEGOTIATION = 'pseudo-algorithm that denotes the peer supports RFC8308 extensions'
INFO_STRICT_KEX = 'pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)'

# Maintains a dictionary per calling thread that yields its own copy of MASTER_DB. This prevents results from one thread polluting the results of another thread.
DB_PER_THREAD: Dict[int, Dict[str, Dict[str, List[List[Optional[str]]]]]] = {}
Expand Down Expand Up @@ -154,8 +156,10 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN]], # sect283k1
'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1
'ecmqv-sha2': [[], [FAIL_UNPROVEN]],
'ext-info-c': [[]], # Extension negotiation (RFC 8308)
'ext-info-s': [[]], # Extension negotiation (RFC 8308)
'ext-info-c': [[], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308)
'ext-info-s': [[], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308)
'[email protected]': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795).
'[email protected]': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795).

# The GSS kex algorithms get special wildcard handling, since they include variable base64 data after their standard prefixes.
'gss-13.3.132.0.10-sha256-*': [[], [FAIL_UNKNOWN]],
Expand Down
43 changes: 41 additions & 2 deletions src/ssh_audit/ssh_audit.py
Original file line number Diff line number Diff line change
Expand Up @@ -447,7 +447,7 @@ def output_info(out: OutputBuffer, software: Optional['Software'], client_audit:
out.sep()


def post_process_findings(banner: Optional[Banner], algs: Algorithms) -> List[str]:
def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_audit: bool) -> List[str]:
'''Perform post-processing on scan results before reporting them to the user. Returns a list of algorithms that should not be recommended'''


Expand All @@ -466,6 +466,45 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms) -> List[st
# Ensure that this algorithm doesn't appear in the recommendations section since the user cannot control this OpenSSH bug.
algorithm_recommendation_suppress_list.append('diffie-hellman-group-exchange-sha256')

# Check for the Terrapin vulnerability (CVE-2023-48795), and mark the vulnerable algorithms.
if algs.ssh2kex is not None and \
((client_audit and '[email protected]' not in algs.ssh2kex.kex_algorithms) or (not client_audit and '[email protected]' not in algs.ssh2kex.kex_algorithms)): # Strict KEX marker is not present.

This comment has been minimized.

Copy link
@ecki

ecki Dec 19, 2023

The presence of the strict kex extension should not skip the checking of the ciphers, since they still can affect peers which don’t negotiate the extension.. hmm.. maybe Seperate warnings? „Strict kex not supported“?

This comment has been minimized.

Copy link
@jtesta

jtesta Dec 19, 2023

Author Owner

Thanks for the feedback! I updated it in c259a83 to add a warning about this at the bottom of the UI.


def add_terrapin_warning(db: Dict[str, Dict[str, List[List[Optional[str]]]]], category: str, algorithm_name: str) -> None:
while len(db[category][algorithm_name]) < 3:
db[category][algorithm_name].append([])

db[category][algorithm_name][2].append("vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation")

db = SSH2_KexDB.get_db()

# Without the strict KEX marker, these algorithms are always vulnerable.
add_terrapin_warning(db, "enc", "chacha20-poly1305")
add_terrapin_warning(db, "enc", "[email protected]")

cbc_ciphers = []
etm_macs = []

# Find the list of CBC ciphers the peer supports.
ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
for cipher in ciphers_supported:
if cipher.endswith("-cbc"):
cbc_ciphers.append(cipher)

# Find the list of ETM MACs the peer supports.
macs_supported = algs.ssh2kex.client.mac if client_audit else algs.ssh2kex.server.mac
for mac in macs_supported:
if mac.endswith("[email protected]"):
etm_macs.append(mac)

# If at least one CBC cipher and at least one ETM MAC is supported, mark them all as vulnerable.
if len(cbc_ciphers) > 0 and len(etm_macs) > 0:

This comment has been minimized.

Copy link
@ecki

ecki Dec 19, 2023

Do you want to consider to add a „less severe“ warning „Mac with etm mode is present, but no CBC ciphers are present so Terrapin attack can’t succeed“ just as a confirmation and warning that the Mac list is not com0letely safe?

for cipher in cbc_ciphers:
add_terrapin_warning(db, "enc", cipher)

for mac in etm_macs:
add_terrapin_warning(db, "mac", mac)

return algorithm_recommendation_suppress_list


Expand All @@ -478,7 +517,7 @@ def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header
algs = Algorithms(pkm, kex)

# Perform post-processing on the findings to make final adjustments before outputting the results.
algorithm_recommendation_suppress_list = post_process_findings(banner, algs)
algorithm_recommendation_suppress_list = post_process_findings(banner, algs, client_audit)

with out:
if print_target:
Expand Down
2 changes: 1 addition & 1 deletion test/test_ssh2.py
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ def test_ssh2_server_simple(self, output_spy, virtual_socket):
self.audit(out, self._conf())
out.write()
lines = output_spy.flush()
assert len(lines) == 70
assert len(lines) == 83

def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket):
vsocket = virtual_socket
Expand Down

0 comments on commit 8e972c5

Please sign in to comment.