From bef8c6c0f710d102987b0f42bb7d42f694faf230 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Wed, 20 Dec 2023 12:11:55 -0500 Subject: [PATCH] Updated notes on fixing Terrapin vulnerability. --- src/ssh_audit/ssh_audit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssh_audit/ssh_audit.py b/src/ssh_audit/ssh_audit.py index 67db02a..481fc8e 100755 --- a/src/ssh_audit/ssh_audit.py +++ b/src/ssh_audit/ssh_audit.py @@ -593,7 +593,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud # Return a note telling the user that, while this target is properly configured, if connected to a vulnerable peer, then a vulnerable connection is still possible. notes = "" if len(algs_to_note) > 0: - notes = "Be aware that, while this target properly supports the strict key exchange method (via the kex-strict-?-v00@openssh.com marker) needed to protect against the Terrapin vulnerability (CVE-2023-48795), all peers must also support this feature as well, otherwise the vulnerability will still be present. The following algorithms would allow an unpatched peer to create vulnerable SSH channels with this target: %s" % ", ".join(algs_to_note) + notes = "Be aware that, while this target properly supports the strict key exchange method (via the kex-strict-?-v00@openssh.com marker) needed to protect against the Terrapin vulnerability (CVE-2023-48795), all peers must also support this feature as well, otherwise the vulnerability will still be present. The following algorithms would allow an unpatched peer to create vulnerable SSH channels with this target: %s. If any CBC ciphers are in this list, you may remove them while leaving the *-etm@openssh.com MACs in place; these MACs are fine while paired with non-CBC cipher types." % ", ".join(algs_to_note) # Add the chacha ciphers, CBC ciphers, and ETM MACs to the recommendation suppression list if they are not enabled on the server. That way they are not recommended to the user to enable if they were explicitly disabled to handle the Terrapin vulnerability. However, they can still be recommended for disabling. algorithm_recommendation_suppress_list += _get_chacha_ciphers_not_enabled(db, algs)