mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-22 09:05:10 +01:00
Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.
This commit is contained in:
parent
164356e776
commit
44393c56b3
@ -178,6 +178,9 @@ For convenience, a web front-end on top of the command-line tool is available at
|
||||
|
||||
## ChangeLog
|
||||
|
||||
### v3.2.0 (???)
|
||||
- Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
|
||||
|
||||
### v3.1.0 (2023-12-20)
|
||||
- Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
|
||||
- Dropped support for Python 3.7 (EOL was reached in June 2023).
|
||||
|
@ -491,7 +491,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud
|
||||
if algs.ssh2kex is not None:
|
||||
ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
|
||||
for cipher in ciphers_supported:
|
||||
if cipher.endswith("-cbc"):
|
||||
if cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se":
|
||||
ret.append(cipher)
|
||||
|
||||
return ret
|
||||
@ -501,7 +501,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud
|
||||
ret = []
|
||||
|
||||
for cipher in db["enc"]:
|
||||
if cipher.endswith("-cbc") and cipher not in _get_cbc_ciphers_enabled(algs):
|
||||
if (cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se") and cipher not in _get_cbc_ciphers_enabled(algs):
|
||||
ret.append(cipher)
|
||||
|
||||
return ret
|
||||
|
Loading…
Reference in New Issue
Block a user