Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(gost/debian): show all severities that appeared #1914

Merged
merged 1 commit into from May 16, 2024
Merged

fix(gost/debian): show all severities that appeared #1914

merged 1 commit into from May 16, 2024

Conversation

MaineK00n
Copy link
Collaborator

@MaineK00n MaineK00n commented May 9, 2024
edited

What did you implement:

Fixes #1913

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

docker.json
gost.sqlite3.zip

before

Either unimportant or not yet assigned is assigned to severity.

$ vuls report --refresh-cve
$ cat results/2024-05-08T12-10-02+0900/docker.json | jq '.scannedCves."CVE-2023-48795".cveContents'
{
  "debian_security_tracker": [
    {
      "type": "debian_security_tracker",
      "cveID": "CVE-2023-48795",
      "title": "",
      "summary": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
      "cvss2Score": 0,
      "cvss2Vector": "",
      "cvss2Severity": "unimportant",
      "cvss3Score": 0,
      "cvss3Vector": "",
      "cvss3Severity": "unimportant",
      "sourceLink": "https://security-tracker.debian.org/tracker/CVE-2023-48795",
      "published": "0001-01-01T00:00:00Z",
      "lastModified": "0001-01-01T00:00:00Z",
      "optional": {
        "attack range": "local"
      }
    }
  ]
}

$ vuls report --refresh-cve
$ cat results/2024-05-08T12-10-02+0900/docker.json | jq '.scannedCves."CVE-2023-48795".cveContents'
{
  "debian_security_tracker": [
    {
      "type": "debian_security_tracker",
      "cveID": "CVE-2023-48795",
      "title": "",
      "summary": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
      "cvss2Score": 0,
      "cvss2Vector": "",
      "cvss2Severity": "not yet assigned",
      "cvss3Score": 0,
      "cvss3Vector": "",
      "cvss3Severity": "not yet assigned",
      "sourceLink": "https://security-tracker.debian.org/tracker/CVE-2023-48795",
      "published": "0001-01-01T00:00:00Z",
      "lastModified": "0001-01-01T00:00:00Z",
      "optional": {
        "attack range": "local"
      }
    }
  ]
}

after

show all severities that appeared

$ vuls report --refresh-cve
$ cat results/2024-05-08T12-10-02+0900/docker.json | jq '.scannedCves."CVE-2023-48795".cveContents'
{
  "debian_security_tracker": [
    {
      "type": "debian_security_tracker",
      "cveID": "CVE-2023-48795",
      "title": "",
      "summary": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
      "cvss2Score": 0,
      "cvss2Vector": "",
      "cvss2Severity": "unimportant|not yet assigned",
      "cvss3Score": 0,
      "cvss3Vector": "",
      "cvss3Severity": "unimportant|not yet assigned",
      "sourceLink": "https://security-tracker.debian.org/tracker/CVE-2023-48795",
      "published": "0001-01-01T00:00:00Z",
      "lastModified": "0001-01-01T00:00:00Z",
      "optional": {
        "attack range": "local"
      }
    }
  ]
}

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@MaineK00n MaineK00n self-assigned this May 9, 2024
@MaineK00n MaineK00n marked this pull request as ready for review May 9, 2024 03:00
@MaineK00n MaineK00n requested a review from shino May 9, 2024 03:00
@MaineK00n MaineK00n force-pushed the MaineK00n/debian-fix-severity branch from c1aa99f to 0c5e900 Compare May 9, 2024 03:21
@MaineK00n MaineK00n changed the title fix(gost/debian): select severity by severity rank fix(gost/debian): show severities that appeared May 9, 2024
@MaineK00n MaineK00n changed the title fix(gost/debian): show severities that appeared fix(gost/debian): show all severities that appeared May 9, 2024
@MaineK00n MaineK00n force-pushed the MaineK00n/debian-fix-severity branch 5 times, most recently from 45ddb71 to 11fb853 Compare May 16, 2024 02:07
@MaineK00n MaineK00n force-pushed the MaineK00n/debian-fix-severity branch from 11fb853 to 170e868 Compare May 16, 2024 02:14
shino
shino approved these changes May 16, 2024
View reviewed changes
Copy link
Collaborator

@shino shino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah!

@MaineK00n MaineK00n merged commit e4728e3 into master May 16, 2024
7 checks passed
@MaineK00n MaineK00n deleted the MaineK00n/debian-fix-severity branch May 16, 2024 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shino shino shino approved these changes

Assignees

@MaineK00n MaineK00n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

severity is different for each scan on debian
2 participants
@MaineK00n @shino