Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Aug 2018 20:31:54 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH Username Enumeration

Hi,

On Wed, Aug 15, 2018 at 09:05:58AM -0700, Qualys Security Advisory wrote:
> Hi all,
> 
> We sent the following email to openssh@...nssh.com and
> distros@...openwall.org about an hour ago, and it was decided that we
> should send it to oss-security@...ts.openwall.com right away (as far as
> we know, no CVE has been assigned to this issue yet):
> 
> ========================================================================
> 
> While reviewing the latest OpenSSH commits, we stumbled across:
> 
> https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
> 
> Date:   Tue Jul 31 03:10:27 2018 +0000
>     delay bailout for invalid authenticating user until after the packet
>     containing the request has been fully parsed. Reported by Dariusz Tytko
>     and Michal Sajdak; ok deraadt
> 
> We realized that without this patch, a remote attacker can easily test
> whether a certain user exists or not (username enumeration) on a target
> OpenSSH server:
> 
>   87 static int
>   88 userauth_pubkey(struct ssh *ssh)
>   89 {
>  ...
>  101         if (!authctxt->valid) {
>  102                 debug2("%s: disabled because of invalid user", __func__);
>  103                 return 0;
>  104         }
>  105         if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
>  106             (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
>  107             (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
>  108                 fatal("%s: parse request failed: %s", __func__, ssh_err(r));
> 
> The attacker can try to authenticate a user with a malformed packet (for
> example, a truncated packet), and:
> 
> - if the user is invalid (it does not exist), then userauth_pubkey()
>   returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE
>   to the attacker;
> 
> - if the user is valid (it exists), then sshpkt_get_u8() fails, and the
>   server calls fatal() and closes its connection to the attacker.
> 
> We believe that this issue warrants a CVE; it affects all operating
> systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0,
> released in November 2000), and is easier to exploit than previous
> OpenSSH username enumerations (which were all timing attacks):
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210

This new issue got assigned CVE-2018-15473 by MITRE.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.