ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard

Published 20 hours ago verified publisher icon jtesta

Handle CVEs fixed by Debian security updates

Open williamdes opened this issue 2 years ago • 2 comments 

ssh-audit xxx.xxx.xxx
# general
(gen) banner: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
(gen) software: OpenSSH 7.4p1
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled ([email protected])

# security
(cve) CVE-2018-15473                        -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies

One of our old servers should normally not report this CVE since its fixed by 1:7.4p1-10+deb9u4, a Debian security fix So all versions above 1:7.4p1-10+deb9u4 are safe, example: 1:7.4p1-10+deb9u5 1:7.4p1-10+deb9u6 etc..

Ref: https://security-tracker.debian.org/tracker/CVE-2018-15473

williamdes avatar Mar 27 '23 17:03 williamdes

I have had a very brief look into the ssh-audit code. Adding exclusions or other notifications for patched versions of SSH appears to be a large undertaking.

The ssh-audit code currently checks the major and minor versions of the SSH server and client and then does a lookup to an internal list of known vulnerabilities based off the major and minor version found.

At this time it does not appear that ssh-audit makes any attempt to validate the patch number.

As Debian and Ubuntu ( and probably most other distros with LTS versions ) tend to back port patches into older versions of SSH this appears to raise the question; how would you check for all patch versions from all different OS distributors ?

For example Debian : 1:7.4p1-10+deb9u4 Red Hat : 7.4p1-21 Ubuntu Bionic : 1:7.6p1-4ubuntu0.1 Ubuntu Cosmic : 1:7.7p1-4 Ubuntu Precise : 1:6.6p1-2ubuntu2.11

Should the onus be on the server administrator to ensure they have installed latest patches from their vendor? Should ssh-audit be responsible if a typing mistake indicates "no CVE", but one is present ?

Perhaps an alternative might be the discussion and development of a way to exclude or whitelist CVE's for a specific host? This approach would have its own potential issues; but would allow an administrator the ability to ignore CVE's that they have already verified and know to be patched.

Edit : Appears to be related to issue : https://github.com/jtesta/ssh-audit/issues/89

oam7575 avatar May 15 '23 00:05 oam7575

FYI, I am considering removing CVE reporting from the tool. In #240, I described the rationale, as well as set up a voting process to hear from the community on whether or not it should remain.

jtesta avatar Mar 15 '24 21:03 jtesta