forked from STashakkori/Remediations
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2023-48795
96 lines (89 loc) · 3.31 KB
/
CVE-2023-48795
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# $t@$h
# Also known as Terrapin.
# This script DOES affect your system if linux.
# It will go ahead and patch your SSH.
# On Windoews gives some suggestions.
# Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk,
# of Ruhr University Bochum as well as Qualys for insight
import subprocess
import platform
import socket
# Patched SSH versions as of 1/2/2024
patched_ssh_versions = {
"AsyncSSH": "2.14.2",
"Bitvise SSH": "9.33",
"ConnectBot": "1.9.10",
"CrushFTP": "10.6.0",
"CycloneSSH": "2.3.4",
"Dropbear": "To be released",
"Erlang/OTP SSH": ["OTP 26.2.1", "OTP 25.3.2.8", "OTP 24.3.4.15"],
"FileZilla Client": "3.66.4",
"Golang x/crypto/ssh": "0.17.0",
"JSch (Fork)": "0.2.15",
"libssh": ["0.10.6", "0.9.8"],
"libssh2": "To be released",
"Maverick Legacy": "1.7.56",
"Maverick Synergy": ["3.0.22", "3.1.0-SNAPSHOT"],
"Nova": "11.8",
"OpenSSH": "9.6 / 9.6p1",
"Paramiko": "3.4.0",
"phpseclib": ["3.0.35", "2.0.46", "1.0.22"],
"PKIX-SSH": "14.4",
"ProFTPD": "1.3.8b",
"PuTTY": "0.80",
"Russh": "0.40.2",
"SecureCRT": "9.4.3",
"SFTP Gateway": "3.4.6",
"SFTPGo": ["2.5.6", "2.4.6"],
"ssh2": "1.15.0",
"sshj": "To be released",
"Tera Term": ["5.1", "4.108"],
"Thrussh": "0.35.1",
"TinySSH": "To be released",
"Transmit": "5.10.4",
"Win32-OpenSSH": "9.5.0.0p1-Beta",
"WinSCP": "6.2.2 beta",
"XShell 7": "Build 0144",
}
def check_ssh_port():
default_ssh_port = 22
host = "localhost"
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
return_code = s.connect_ex((host, default_ssh_port))
if return_code == 0:
print(f"SSH is running on the default port: {default_ssh_port}")
else:
print(f"Warning: SSH is not running on the default port ({default_ssh_port}). Please check your configuration.")
def get_ssh_version():
try:
result = subprocess.run(["ssh", "-V"], capture_output=True, text=True)
version_info = result.stderr.strip() # Typically outputs to stderr
return version_info
except subprocess.CalledProcessError as e:
print(f"Error checking SSH version: {e}")
return None
def recommend_patch():
os_info = platform.system()
if os_info == "Linux":
print("Linux patching instructions:")
print(" Debian/Ubuntu: `sudo apt-get install --only-upgrade openssh-client openssh-server`")
print(" Red Hat/CentOS: `sudo yum update openssh`")
print(" Ensure your system is using a non-vulnerable version of SSH.")
elif os_info == "Windows":
print("Windows patching instructions:")
print(" Update to the latest version of Windows through Windows Update.")
print(" For third-party SSH clients, consider updating to the following patched versions:")
for implementation, version in patched_ssh_versions_windows.items():
print(f" {implementation}: Update to version {version} or later")
else:
print(f"Operating system '{os_info}' not recognized as Windows or Linux.")
def main():
version_info = get_ssh_version()
if version_info:
print(f"SSH Version: {version_info}")
check_ssh_port()
recommend_patch()
else:
print("Could not determine SSH version.")
if __name__ == "__main__":
main()