Bug 1105010 (CVE-2018-15473)

Summary: VUL-1: CVE-2018-15473: openssh-openssl1,openssh: OpenSSH Username Enumeration
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: astieger, hhetter, jsikes, leilei.shen, meissner, smash_bz, stefan.kunze, suse
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/216311/
Whiteboard: CVSSv3:SUSE:CVE-2018-15473:5.8:(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) CVSSv3:SUSE:CVE-2018-15919:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) maint:released:sle10-sp3:64211
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-08-16 05:38:12 UTC
OSS:2018/Q3/124

https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
 OpenSSH Username Enumeration From: Qualys Security Advisory <qsa () qualys com>
Date: Wed, 15 Aug 2018 09:05:58 -0700

Hi all,

We sent the following email to openssh () openssh com and
distros () vs openwall org about an hour ago, and it was decided that we
should send it to oss-security () lists openwall com right away (as far as
we know, no CVE has been assigned to this issue yet):

========================================================================

While reviewing the latest OpenSSH commits, we stumbled across:

https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0

Date:   Tue Jul 31 03:10:27 2018 +0000
    delay bailout for invalid authenticating user until after the packet
    containing the request has been fully parsed. Reported by Dariusz Tytko
    and Michal Sajdak; ok deraadt

We realized that without this patch, a remote attacker can easily test
whether a certain user exists or not (username enumeration) on a target
OpenSSH server:

  87 static int
  88 userauth_pubkey(struct ssh *ssh)
  89 {
 ...
 101         if (!authctxt->valid) {
 102                 debug2("%s: disabled because of invalid user", __func__);
 103                 return 0;
 104         }
 105         if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
 106             (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
 107             (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
 108                 fatal("%s: parse request failed: %s", __func__, ssh_err(r));

The attacker can try to authenticate a user with a malformed packet (for
example, a truncated packet), and:

- if the user is invalid (it does not exist), then userauth_pubkey()
  returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE
  to the attacker;

- if the user is valid (it exists), then sshpkt_get_u8() fails, and the
  server calls fatal() and closes its connection to the attacker.

We believe that this issue warrants a CVE; it affects all operating
systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0,
released in November 2000), and is easier to exploit than previous
OpenSSH username enumerations (which were all timing attacks):

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210

We also believe that this should be posted to oss-security right away:
the issue (commit) is already public, and if we spotted it, then others
(not so well intentioned) did too. We are at your disposal for
questions, comments, and further discussions.

Thank you very much! With best regards,

-- 
the Qualys Security Advisory team



References:
http://seclists.org/oss-sec/2018/q3/124
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
Comment 2 Marcus Meissner 2018-08-17 19:36:46 UTC
CVE-2018-15473
Comment 11 Swamp Workflow Management 2018-10-29 11:09:23 UTC
SUSE-SU-2018:3540-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1016370,1065000,1076957,1105010,1105180,1106163,1106726
CVE References: CVE-2016-10012,CVE-2016-10708,CVE-2017-15906,CVE-2018-15473,CVE-2018-15919
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssh-6.2p2-0.41.5.1, openssh-askpass-gnome-6.2p2-0.41.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openssh-6.2p2-0.41.5.1, openssh-askpass-gnome-6.2p2-0.41.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssh-6.2p2-0.41.5.1, openssh-askpass-gnome-6.2p2-0.41.5.1
Comment 12 Jason Sikes 2018-10-31 15:14:37 UTC
Patches created and submitted
Comment 13 Marcus Meissner 2018-10-31 15:22:49 UTC
reopen and reassign to security-team
Comment 14 Swamp Workflow Management 2018-11-08 20:15:19 UTC
SUSE-SU-2018:3686-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1081947,1091396,1105010,1106163,964336
CVE References: CVE-2018-15473,CVE-2018-15919
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    openssh-7.6p1-9.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    openssh-7.6p1-9.3.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    openssh-askpass-gnome-7.6p1-9.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    openssh-7.6p1-9.3.1
Comment 15 Swamp Workflow Management 2018-11-14 17:11:13 UTC
SUSE-SU-2018:3768-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1091396,1105010,1106163,964336
CVE References: CVE-2018-15473,CVE-2018-15919
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssh-openssl1-6.6p1-19.6.1
Comment 16 Swamp Workflow Management 2018-11-16 20:10:34 UTC
SUSE-SU-2018:3776-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1091396,1105010,1106163,964336,982273
CVE References: CVE-2018-15473,CVE-2018-15919
Sources used:
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    openssh-6.6p1-54.18.1, openssh-askpass-gnome-6.6p1-54.18.1
SUSE Linux Enterprise Server 12-LTSS (src):    openssh-6.6p1-54.18.1, openssh-askpass-gnome-6.6p1-54.18.1
Comment 17 Swamp Workflow Management 2018-11-16 20:13:40 UTC
SUSE-SU-2018:3781-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1091396,1105010,1106163,964336,982273
CVE References: CVE-2018-15473,CVE-2018-15919
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openssh-6.6p1-36.6.1, openssh-askpass-gnome-6.6p1-36.6.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssh-6.6p1-36.6.1, openssh-askpass-gnome-6.6p1-36.6.1
Comment 18 Swamp Workflow Management 2018-11-16 23:15:07 UTC
openSUSE-SU-2018:3801-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1081947,1091396,1105010,1106163,964336
CVE References: CVE-2018-15473,CVE-2018-15919
Sources used:
openSUSE Leap 15.0 (src):    openssh-7.6p1-lp150.8.3.1, openssh-askpass-gnome-7.6p1-lp150.8.3.1
Comment 21 Swamp Workflow Management 2018-11-26 20:10:01 UTC
SUSE-SU-2018:3910-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1091396,1105010,964336
CVE References: CVE-2018-15473
Sources used:
SUSE OpenStack Cloud 7 (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Linux Enterprise Server 12-SP4 (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Linux Enterprise Server 12-SP3 (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE Enterprise Storage 4 (src):    openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1
SUSE CaaS Platform ALL (src):    openssh-7.2p2-74.30.1
SUSE CaaS Platform 3.0 (src):    openssh-7.2p2-74.30.1
OpenStack Cloud Magnum Orchestration 7 (src):    openssh-7.2p2-74.30.1
Comment 22 Andreas Stieger 2018-11-29 19:42:31 UTC
done
Comment 23 Swamp Workflow Management 2018-11-29 23:09:21 UTC
openSUSE-SU-2018:3946-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1091396,1105010,964336
CVE References: CVE-2018-15473
Sources used:
openSUSE Leap 42.3 (src):    openssh-7.2p2-25.1, openssh-askpass-gnome-7.2p2-25.1
Comment 24 Leilei Shen 2019-01-04 10:03:54 UTC
Did this patch fix the vulnerability of CVE-2018-15919 for SLES12SP2-LTSS? 
We can see the CVE-2018-15919 has been fixed. But there are no detailed version recommendations for the CVE page. 

Page link:https://www.suse.com/security/cve/CVE-2018-15919/

Who can confirm this question?
Comment 25 Marcus Meissner 2019-01-07 15:51:56 UTC
CVE-2018-15919 is tracked in bug 1106163
Comment 28 Swamp Workflow Management 2019-02-14 13:35:06 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2019-02-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64210
Comment 29 Swamp Workflow Management 2019-04-29 10:17:31 UTC
SUSE-SU-2018:3776-2: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1091396,1105010,1106163,964336,982273
CVE References: CVE-2018-15473,CVE-2018-15919
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    openssh-6.6p1-54.18.1, openssh-askpass-gnome-6.6p1-54.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.