Project

General

Profile

Actions
Copy link

Bug #27840

open

CIS RHEL 9 Section 5.1.4 : Test for absence of disallowed ciphers is not properly working

Bug #27840: CIS RHEL 9 Section 5.1.4 : Test for absence of disallowed ciphers is not properly working

Added by Michel BOUISSOU 11 days ago. Updated 1 day ago.

Status:
New
Priority:
1 (highest)
Assignee:
Elaad FURREEDAN
Target version:
Rudder plugins - 9.0
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

System current configuration :

root@alma9-cis:~# sshd -T | grep ciphers
ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr

Test performed by the CIS module with default parameters :

root@alma9-cis:~# sshd -T | grep -Piq -- '^ciphers\s+\"?chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
root@alma9-cis:~# echo $?
1

This is wrong because we cannot predict that the node actually supports all authorized ciphers, so it should fail only if the node would support any unallowed cipher.

Furthermore, even changing the list of allowed ciphers to the list of ciphers actually supported by the node, this still fails :

root@alma9-cis:~# sshd -T | grep ciphers
ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
root@alma9-cis:~# sshd -T | grep -Piq -- '^ciphers\s+\"?chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
root@alma9-cis:~# echo $?
1

Here ist seems to fail only because the order of ciphers listed by openSSH differs from the order in the allowed ciphers list.

This is bad because we cannot be sure about the order in which sshd will list its allowed ciphers.

So it seems that our test is way too strict as the grep we use needs the sshd daemon to output the exact list of ciphers we allow (and not a subset of it), plus they need to be output in the exact same order for our test to suceed.

Updated by Michel BOUISSOU 11 days ago Actions
Copy link
 #1

Same issue for 5.1.5 and 5.1.6, plus the regex should be anchored, for grepping for "kexalgorithms" also matches "gssapikexalgorithms".

root@alma9-cis:~# sshd -T | grep -Piq -- 'kexalgorithms\s+\"?curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
root@alma9-cis:~# echo $?
1
root@alma9-cis:~# sshd -T | grep kexalgorithms
gssapikexalgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

Updated by Nicolas CHARLES 1 day ago Actions
Copy link
 #2

  • Priority changed from To review to 1 (highest)

Updated by François ARMAND 1 day ago Actions
Copy link
 #3

  • Assignee set to Elaad FURREEDAN
Actions
Copy link

Also available in: PDF Atom