Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.

README.md

@@ -178,6 +178,9 @@ For convenience, a web front-end on top of the command-line tool is available at
 
 ## ChangeLog
 
+### v3.2.0 (???)
+ - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.  It now includes more rarely found ciphers.
+
 ### v3.1.0 (2023-12-20)
  - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
  - Dropped support for Python 3.7 (EOL was reached in June 2023).

src/ssh_audit/ssh_audit.py

@@ -491,7 +491,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud
         if algs.ssh2kex is not None:
             ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
             for cipher in ciphers_supported:
-                if cipher.endswith("-cbc"):
+                if cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se":
                     ret.append(cipher)
 
         return ret
@@ -501,7 +501,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud
         ret = []
 
         for cipher in db["enc"]:
-            if cipher.endswith("-cbc") and cipher not in _get_cbc_ciphers_enabled(algs):
+            if (cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se") and cipher not in _get_cbc_ciphers_enabled(algs):
                 ret.append(cipher)
 
         return ret