Skip to content

v3.2.0

Compare
Choose a tag to compare
@jtesta jtesta released this 22 Apr 21:08
· 57 commits to master since this release
v3.2.0

This release features a new --dheat option to test targets for the DHEat denial-of-service attack (see CVE-2002-20001). Also included are changes to custom policies that allow targets to surpass the specified security level; this allows for the creation of baseline policies (partial credit yannik1015 and Damian Szuberski).

This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

  • Added implementation of the DHEat denial-of-service attack (see --dheat option; CVE-2002-20001).
  • Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
  • Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
  • Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
  • The built-in man page (-m, --manual) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
  • Snap builds are now architecture-independent.
  • Changed Docker base image from python:3-slim to python:3-alpine, resulting in a 59% reduction in image size; credit Daniel Thamdrup.
  • Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH 9.7, and Rocky Linux 9.
  • Built-in policies now include a change log (use -L -v to view them).
  • Custom policies now support the allow_algorithm_subset_and_reordering directive to allow targets to pass with a subset and/or re-ordered list of host keys, kex, ciphers, and MACs. This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit yannik1015.
  • Custom policies now support the allow_larger_keys directive to allow targets to pass with larger host keys, CA keys, and Diffie-Hellman keys. This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit Damian Szuberski.
  • Color output is disabled if the NO_COLOR environment variable is set (see https://no-color.org/).
  • Added 1 new key exchange algorithm: gss-nistp384-sha384-*.
  • Added 1 new cipher: [email protected].