-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2023-38408_scan.py
85 lines (68 loc) · 3.74 KB
/
CVE-2023-38408_scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# $t@$h
# This script doesn't require authentication and also doesn't do remote inspection so it's safe.
# Intended to be used to check a host system for crypto versions and get insight.
# If you see warnings for crypto versions, realize you can blocklist those versions to ensure that
# only versions you want are used. However, this will sacrifice some backwards compatibility.
import subprocess
import re
def check_ssh_client_version():
try:
version_result = subprocess.run(["ssh", "-V"], capture_output=True, text=True, check=True)
version_info = version_result.stderr.strip()
print(f"__SSH Client Version Check__\nVersion: {version_info}")
version_number = re.search(r"OpenSSH_([0-9.]+)", version_info)
if version_number:
version_number = version_number.group(1)
version_number = float(version_number.replace('.', '', 1))
min_recommended_version = 8.3 # FIDO2 for discoverable as of 11/27/2023. Non is 8.2p1. For CVE-2023-38408, OpenSSH 9.3p2 and beyond. Tailor.
if version_number < min_recommended_version:
print(f"***Warning: Update Recommended. Consider a more recent OpenSSH for improved security.")
else:
print("!!!Error: Unable to determine OpenSSH version.")
except subprocess.CalledProcessError as e:
print(f"!!!Error: Unable to check SSH client version - {e}")
def check_ssh_key_size(key_path):
print(f"__SSH Key Size Check__")
try:
keygen_result = subprocess.run(["ssh-keygen", "-l", "-f", key_path], capture_output=True, text=True)
if keygen_result.returncode != 0:
print(f"!!!Error: Unable to retrieve RSA key size from {key_path}")
print(keygen_result.stderr.strip())
return
output = keygen_result.stdout.strip()
print(f"[SSH Key Size Check] - {output}")
key_size = int(output.split()[0])
# NIST SP 800-57 recommends 112-bit symmetric key strength as of 11/27/2023
if key_size < 2048:
print("***Warning: RSA key size is less than 2048 bits. Consider using a larger key for better security.")
except subprocess.CalledProcessError as e:
print(f"!!!Error: Unable to retrieve SSH key size from {key_path} - {e}")
def check_ssh_vulnerabilities():
try:
kex_result = subprocess.run(["ssh", "-Q", "kex"], capture_output=True, text=True).stdout
cipher_result = subprocess.run(["ssh", "-Q", "cipher"], capture_output=True, text=True).stdout
mac_result = subprocess.run(["ssh", "-Q", "mac"], capture_output=True, text=True).stdout
print("__SSH Configuration Check__")
print("Supported Key Exchange Algorithms:")
print(kex_result.strip())
print("Supported Ciphers:")
print(cipher_result.strip())
print("Supported MACs:")
print(mac_result.strip())
weak_kex = ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]
weak_ciphers = ["3des-cbc", "aes128-cbc", "aes192-cbc", "aes256-cbc"]
weak_macs = ["hmac-md5", "hmac-md5-96", "hmac-sha1-96"]
for algorithm in weak_kex:
if algorithm in kex_result:
print(f"***Warning: '{algorithm}' is a weak key exchange algorithm.")
for cipher in weak_ciphers:
if cipher in cipher_result:
print(f"***Warning: '{cipher}' is a weak cipher.")
for mac in weak_macs:
if mac in mac_result:
print(f"***Warning: '{mac}' is a weak MAC.")
except subprocess.CalledProcessError as e:
print(f"!!!Error: Unable to retrieve SSH configuration - {e}")
check_ssh_client_version()
check_ssh_key_size('') # Feel free to put a path to an ssh key here to check it ya'll
check_ssh_vulnerabilities()