Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix detection of GSS algorithms #230

Closed
jtesta opened this issue Dec 20, 2023 · 5 comments
Closed

Fix detection of GSS algorithms #230

jtesta opened this issue Dec 20, 2023 · 5 comments

Comments

@jtesta
Copy link
Owner

jtesta commented Dec 20, 2023

The following key exchanges are perhaps not detected properly:

gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==
gss-curve25519-sha256-vz8J1E9PzLr8b1K+0remTg==
gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==
gss-gex-sha1-vz8J1E9PzLr8b1K+0remTg==
gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==
gss-group14-sha1-vz8J1E9PzLr8b1K+0remTg==
gss-group14-sha256-vz8J1E9PzLr8b1K+0remTg==
gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==
gss-group16-sha512-vz8J1E9PzLr8b1K+0remTg==
gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==
gss-group1-sha1-vz8J1E9PzLr8b1K+0remTg==
gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==
gss-nistp256-sha256-vz8J1E9PzLr8b1K+0remTg==
@ecki
Copy link

ecki commented Dec 23, 2023

I have an example of this with putty, find the output attached. NB: this putty has custom algorithm order.

# general
(gen) client IP: ::1
(gen) banner: SSH-2.0-PuTTY_Release_0.79
(gen) software: PuTTY 0.79
(gen) compression: enabled (zlib, zlib@openssh.com)

# key exchange algorithms
(kex) gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-nistp521-sha512-toWM5Slw5Ew8Mqkay+al2g==    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) gss-nistp384-sha384-toWM5Slw5Ew8Mqkay+al2g==    -- [warn] unknown algorithm
(kex) gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group17-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group18-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==     -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==           -- [fail] using broken SHA-1 hash algorithm
(kex) gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==       -- [fail] using broken SHA-1 hash algorithm
                                                      `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==        -- [fail] using small 1024-bit modulus
                                                      `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
                                                      `- [fail] using broken SHA-1 hash algorithm
(kex) sntrup761x25519-sha512@openssh.com              -- [info] available since OpenSSH 8.5
(kex) curve448-sha512
(kex) curve25519-sha256                               -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
                                                      `- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@libssh.org                    -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
                                                      `- [info] default key exchange since OpenSSH 6.4
(kex) ecdh-sha2-nistp256                              -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
                                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                              -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
                                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                              -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
                                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256            -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1              -- [fail] using broken SHA-1 hash algorithm
                                                      `- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group18-sha512                   -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group17-sha512
(kex) diffie-hellman-group16-sha512                   -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group15-sha512
(kex) diffie-hellman-group14-sha256                   -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
                                                      `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1                     -- [fail] using broken SHA-1 hash algorithm
                                                      `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
                                                      `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) rsa2048-sha256                                  -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) rsa1024-sha1                                    -- [fail] using small 1024-bit modulus
                                                      `- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group1-sha1                      -- [fail] using small 1024-bit modulus
                                                      `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
                                                      `- [fail] using broken SHA-1 hash algorithm
                                                      `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
                                                      `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
(kex) ext-info-c                                      -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions

# host-key algorithms
(key) ssh-ed25519                                     -- [info] available since OpenSSH 6.5
(key) ecdsa-sha2-nistp256                             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
                                                      `- [warn] using weak random number generator could reveal the key
                                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp384                             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
                                                      `- [warn] using weak random number generator could reveal the key
                                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp521                             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
                                                      `- [warn] using weak random number generator could reveal the key
                                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed448
(key) rsa-sha2-512                                    -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256                                    -- [info] available since OpenSSH 7.2
(key) ssh-rsa                                         -- [fail] using broken SHA-1 hash algorithm
                                                      `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                                      `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
(key) ssh-dss                                         -- [fail] using small 1024-bit modulus
                                                      `- [warn] using weak random number generator could reveal the key
                                                      `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
                                                      `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
(key) null                                            -- [fail] no encryption/integrity

# encryption algorithms (ciphers)
(enc) aes128-gcm@openssh.com                          -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com                          -- [info] available since OpenSSH 6.2
(enc) aes256-ctr                                      -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc                                      -- [warn] using weak cipher mode
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) rijndael-cbc@lysator.liu.se                     -- [fail] using deprecated & non-standardized Rijndael cipher
                                                      `- [warn] using weak cipher mode
                                                      `- [info] available since OpenSSH 2.3.0
                                                      `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
(enc) aes192-ctr                                      -- [info] available since OpenSSH 3.7
(enc) aes192-cbc                                      -- [warn] using weak cipher mode
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 2.3.0
(enc) aes128-ctr                                      -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc                                      -- [warn] using weak cipher mode
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
(enc) chacha20-poly1305@openssh.com                   -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 6.5
                                                      `- [info] default cipher since OpenSSH 6.9
(enc) 3des-ctr                                        -- [fail] using broken & deprecated 3DES cipher
                                                      `- [info] available since Dropbear SSH 0.52
(enc) 3des-cbc                                        -- [fail] using broken & deprecated 3DES cipher
                                                      `- [warn] using weak cipher mode
                                                      `- [warn] using small 64-bit block size
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
(enc) blowfish-ctr                                    -- [fail] using weak & deprecated Blowfish cipher
                                                      `- [warn] using weak cipher mode
                                                      `- [warn] using small 64-bit block size
(enc) blowfish-cbc                                    -- [fail] using weak & deprecated Blowfish cipher
                                                      `- [warn] using weak cipher mode
                                                      `- [warn] using small 64-bit block size
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
(enc) arcfour256                                      -- [fail] using broken RC4 cipher
                                                      `- [info] available since OpenSSH 4.2
(enc) arcfour128                                      -- [fail] using broken RC4 cipher
                                                      `- [info] available since OpenSSH 4.2

# message authentication code algorithms
(mac) hmac-sha2-256                                   -- [warn] using encrypt-and-MAC mode
                                                      `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512                                   -- [warn] using encrypt-and-MAC mode
                                                      `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1                                       -- [fail] using broken SHA-1 hash algorithm
                                                      `- [warn] using encrypt-and-MAC mode
                                                      `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha1-96                                    -- [fail] using broken SHA-1 hash algorithm
                                                      `- [warn] using encrypt-and-MAC mode
                                                      `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
(mac) hmac-md5                                        -- [fail] using broken MD5 hash algorithm
                                                      `- [warn] using encrypt-and-MAC mode
                                                      `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-256-etm@openssh.com                   -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com                   -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@openssh.com                       -- [fail] using broken SHA-1 hash algorithm
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 6.2
(mac) hmac-sha1-96-etm@openssh.com                    -- [fail] using broken SHA-1 hash algorithm
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 6.2
(mac) hmac-md5-etm@openssh.com                        -- [fail] using broken MD5 hash algorithm
                                                      `- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
                                                      `- [info] available since OpenSSH 6.2

# additional info
(nfo) PuTTY does not have the option of restricting any algorithms during the SSH handshake.



!!! WARNING: unknown algorithm(s) found!: gss-nistp384-sha384-*.  Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at <https://github.com/jtesta/ssh-audit/issues>.

@jtesta
Copy link
Owner Author

jtesta commented Mar 14, 2024

@ecki : thanks for posting this. This shows that the GSS parsing seems to be working--at least for client audits. I should still double-check that server audits still parse them correctly, though.

Also, I see that PuTTY supports an algorithm that ssh-audit doesn't know about: gss-nistp384-sha384-*. I just check in support for this missing algorithm: 064b55e

Thanks again!

@ecki
Copy link

ecki commented Mar 15, 2024

You also might want to add the version info for curve448-sha512 (I assume it was introduced in openssh together with the curve25519-sha256 but not sure - how do you find those, try/review source?) and

sntrup761x25519-sha512@openssh.com              -- [info] available since OpenSSH 8.5

Is default since 9.0 in openssh

@jtesta
Copy link
Owner Author

jtesta commented Mar 15, 2024

You also might want to add the version info for curve448-sha512

I don't believe that was added to OpenSSH, since they don't support Curve448 at all (unfortunately).

how do you find those, try/review source

I get version info from the OpenSSH release notes. And I get info about new algorithms mainly from the debugging logs from the ssh-audit.com web front-end (people scan all kinds of exotic SSH servers...).

sntrup761x25519-sha512@openssh.com [...] Is default since 9.0 in openssh

Thanks for the tip! Fixed in: 7b3402b

@jtesta
Copy link
Owner Author

jtesta commented Mar 15, 2024

Closing this issue, since additional testing showed that the GSS algorithms are indeed being parsed correctly.

@jtesta jtesta closed this as completed Mar 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ecki @jtesta