Date: Thu, 23 Aug 2018 12:35:52 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Dariusz Tytko <dariusz.tytko@...uritum.pl> Subject: Re: OpenSSH Username Enumeration On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote: > We have published our writeup > https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/, hope it > helps to better understanding the problem. Thanks. We have a policy here that the actual content must be in the message, not only included by reference. Luckily, Qualys already brought some detail in here, but nevertheless I'm also attaching a text export of your blog post. Next time you post, please take care of this on your own (if relevant). https://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines "At least the most essential part of your message (e.g., vulnerability detail and/or exploit) should be directly included in the message itself (and in plain text), rather than only included by reference to an external resource. Posting links to relevant external resources as well is acceptable, but posting only links is not. Your message should remain valuable even with all of the external resources gone." As it relates to the actual issue (and past issues, which had to do with the password hashing step being skipped or done differently), I'd like to note that username enumeration will generally remain possible via finer and more numerous timing measurements, primarily because user lookup with getpwnam(3) and such is generally not timing-safe. Fixing some of these issues, we're just making username enumeration harder, slower, and less reliable. These are fine goals and it's great that specific fixable issues are getting fixed, but I do see why the OpenSSH team wouldn't formally treat this as a vulnerability. OTOH, easy username enumeration issues were treated as vulnerabilities (although maybe not by upstreams, I just don't recall) at least for proftpd and vsftpd (these got CVE IDs for such issues in 2004), and probably more. Alexander View attachment "OpenSSH-users-enumeration-CVE-2018-15473.txt" of type "text/plain" (10588 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.