Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 23 Aug 2018 12:35:52 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Dariusz Tytko <dariusz.tytko@...uritum.pl>
Subject: Re: OpenSSH Username Enumeration

On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote:
> We have published our writeup
> https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/, hope it
> helps to better understanding the problem.

Thanks.  We have a policy here that the actual content must be in the
message, not only included by reference.  Luckily, Qualys already
brought some detail in here, but nevertheless I'm also attaching a text
export of your blog post.  Next time you post, please take care of this
on your own (if relevant).

https://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

"At least the most essential part of your message (e.g., vulnerability
detail and/or exploit) should be directly included in the message itself
(and in plain text), rather than only included by reference to an
external resource.  Posting links to relevant external resources as well
is acceptable, but posting only links is not.  Your message should
remain valuable even with all of the external resources gone."

As it relates to the actual issue (and past issues, which had to do with
the password hashing step being skipped or done differently), I'd like
to note that username enumeration will generally remain possible via
finer and more numerous timing measurements, primarily because user
lookup with getpwnam(3) and such is generally not timing-safe.  Fixing
some of these issues, we're just making username enumeration harder,
slower, and less reliable.  These are fine goals and it's great that
specific fixable issues are getting fixed, but I do see why the OpenSSH
team wouldn't formally treat this as a vulnerability.  OTOH, easy
username enumeration issues were treated as vulnerabilities (although
maybe not by upstreams, I just don't recall) at least for proftpd and
vsftpd (these got CVE IDs for such issues in 2004), and probably more.

Alexander

View attachment "OpenSSH-users-enumeration-CVE-2018-15473.txt" of type "text/plain" (10588 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.