Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle CVEs fixed by Debian security updates #177

Open
williamdes opened this issue Mar 27, 2023 · 2 comments
Open

Handle CVEs fixed by Debian security updates #177

williamdes opened this issue Mar 27, 2023 · 2 comments

Comments

@williamdes
Copy link 

ssh-audit xxx.xxx.xxx
# general
(gen) banner: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
(gen) software: OpenSSH 7.4p1
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com)

# security
(cve) CVE-2018-15473                        -- (CVSSv2: 5.3) enumerate usernames due to timing discrepencies

One of our old servers should normally not report this CVE since its fixed by 1:7.4p1-10+deb9u4, a Debian security fix
So all versions above 1:7.4p1-10+deb9u4 are safe, example: 1:7.4p1-10+deb9u5 1:7.4p1-10+deb9u6 etc..

Ref: https://security-tracker.debian.org/tracker/CVE-2018-15473
@oam7575
Copy link

oam7575 commented May 15, 2023
edited

I have had a very brief look into the ssh-audit code. Adding exclusions or other notifications for patched versions of SSH appears to be a large undertaking.

The ssh-audit code currently checks the major and minor versions of the SSH server and client and then does a lookup to an internal list of known vulnerabilities based off the major and minor version found.

At this time it does not appear that ssh-audit makes any attempt to validate the patch number.

As Debian and Ubuntu ( and probably most other distros with LTS versions ) tend to back port patches into older versions of SSH this appears to raise the question; how would you check for all patch versions from all different OS distributors ?

For example
Debian : 1:7.4p1-10+deb9u4
Red Hat : 7.4p1-21
Ubuntu Bionic : 1:7.6p1-4ubuntu0.1
Ubuntu Cosmic : 1:7.7p1-4
Ubuntu Precise : 1:6.6p1-2ubuntu2.11

Should the onus be on the server administrator to ensure they have installed latest patches from their vendor?
Should ssh-audit be responsible if a typing mistake indicates "no CVE", but one is present ?

Perhaps an alternative might be the discussion and development of a way to exclude or whitelist CVE's for a specific host?
This approach would have its own potential issues; but would allow an administrator the ability to ignore CVE's that they have already verified and know to be patched.

Edit : Appears to be related to issue : #89

@jtesta
Copy link
Owner

jtesta commented Mar 15, 2024

FYI, I am considering removing CVE reporting from the tool. In #240, I described the rationale, as well as set up a voting process to hear from the community on whether or not it should remain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jtesta @williamdes @oam7575