search

jtesta / ssh-audit

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
MIT License
3.33k stars 174 forks source link

Remove Diffie Hellman algorithm suggestions #132

Closed antivirtel closed 2 years ago

antivirtel commented 2 years ago

Hi,

I've just used the v2.5.0 release of ssh-audit, it is a great tool, but it seems like it's still suggesting vulnerable things like diffie-hellman-group14-sha1 eg. for EL6(CentOS 6) SSHd versions:

# general
(gen) banner: SSH-2.0-OpenSSH_5.3
(gen) software: OpenSSH 5.3
(gen) compatibility: OpenSSH 5.9+, Dropbear SSH 2013.62+
(gen) compression: enabled (zlib@openssh.com)

# security
(cve) CVE-2018-15473               -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies
(cve) CVE-2016-3115                -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
(cve) CVE-2015-6564                -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
(cve) CVE-2015-6563                -- (CVSSv2: 1.9) conduct impersonation attack
(cve) CVE-2014-2532                -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
(cve) CVE-2014-1692                -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
(cve) CVE-2012-0814                -- (CVSSv2: 3.5) leak data via debug messages
(cve) CVE-2011-5000                -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
(cve) CVE-2010-5107                -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
(cve) CVE-2010-4755                -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
(cve) CVE-2010-4478                -- (CVSSv2: 7.5) bypass authentication check via crafted values

# key exchange algorithms
(kex) diffie-hellman-group14-sha1  -- [warn] using weak hashing algorithm
                                   `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) ecdh-sha2-nistp256           -- [fail] using weak elliptic curves
                                   `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384           -- [fail] using weak elliptic curves
                                   `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521           -- [fail] using weak elliptic curves
                                   `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62

# host-key algorithms
(key) ssh-rsa (2048-bit)           -- [fail] using weak hashing algorithm
                                   `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                   `- [info] a future deprecation notice has been issued in OpenSSH 8.2: https://www.openssh.com/txt/release-8.2

# encryption algorithms (ciphers)
(enc) aes128-ctr                   -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                   -- [info] available since OpenSSH 3.7
(enc) aes256-ctr                   -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha2-256                -- [warn] using encrypt-and-MAC mode
                                   `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512                -- [warn] using encrypt-and-MAC mode
                                   `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56

# fingerprints
(fin) ssh-rsa: SHA256:blb2...2ac

# algorithm recommendations (for OpenSSH 5.3)
(rec) -ssh-rsa                     -- key algorithm to remove
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove

# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>

However we know that they're vulnerable/weak, OpenVAS is also alerting for that:

Detection Result

The remote SSH server supports the following DHE KEX algorithm(s):

diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha256

References CVE CVE-2002-20001 CERT DFN-CERT-2022-0437 DFN-CERT-2021-2622 CB-K22/0224 CB-K21/1276 Other https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol https://github.com/Balasys/dheater

From the above, other than not to use EL6 anymore (which we know the reality of, in progress of migration, have to keep them around until they're mirated). I don't think SSH-audit should suggest the below:

# algorithm recommendations (for OpenSSH 5.3)
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append

I also see the same with other (more recent) OSes: EL7:

# algorithm recommendations (for OpenSSH 7.4)
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append
(rec) +rsa-sha2-256                  -- key algorithm to append
(rec) +rsa-sha2-512                  -- key algorithm to append

Ubuntu 20.04 LTS:

# algorithm recommendations (for OpenSSH 8.2)
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append
(rec) +rsa-sha2-256                  -- key algorithm to append
(rec) +rsa-sha2-512                  -- key algorithm to append

If you agree, can you please remove any suggestions which are about Diffie Hellman algorithms?

Ps. when does a new release is expected with the new changes?

Thank you!

jtesta commented 2 years ago

Hi there. In your first example for CentOS 6, you posted this:

# algorithm recommendations (for OpenSSH 5.3)
(rec) -ssh-rsa                     -- key algorithm to remove
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove

Its actually advising you to remove diffie-hellman-group14-sha1, not include it.

Regarding diffie-hellman-group-exchange-sha256, that can be good or bad, depending on the moduli the server is configured with. In OpenSSH, that's controlled by the /etc/ssh/moduli file (see the hardening guides here for removing the weak moduli: https://www.sshaudit.com/hardening_guides.html).

OpenVAS is also alerting for that

Seems like OpenVAS isn't using a proper modulus test for diffie-hellman-group-exchange-sha256. I'd guess it sees that key exchange algorithm and is just assuming the worst. On many default platforms, that conclusion is valid, but its a false positive for properly hardened systems.