Bugzilla – Bug 1105010
VUL-1: CVE-2018-15473: openssh-openssl1,openssh: OpenSSH Username Enumeration
Last modified: 2020-06-08 19:13:22 UTC
OSS:2018/Q3/124 https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 OpenSSH Username Enumeration From: Qualys Security Advisory <qsa () qualys com> Date: Wed, 15 Aug 2018 09:05:58 -0700 Hi all, We sent the following email to openssh () openssh com and distros () vs openwall org about an hour ago, and it was decided that we should send it to oss-security () lists openwall com right away (as far as we know, no CVE has been assigned to this issue yet): ======================================================================== While reviewing the latest OpenSSH commits, we stumbled across: https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Date: Tue Jul 31 03:10:27 2018 +0000 delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. Reported by Dariusz Tytko and Michal Sajdak; ok deraadt We realized that without this patch, a remote attacker can easily test whether a certain user exists or not (username enumeration) on a target OpenSSH server: 87 static int 88 userauth_pubkey(struct ssh *ssh) 89 { ... 101 if (!authctxt->valid) { 102 debug2("%s: disabled because of invalid user", __func__); 103 return 0; 104 } 105 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || 106 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || 107 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) 108 fatal("%s: parse request failed: %s", __func__, ssh_err(r)); The attacker can try to authenticate a user with a malformed packet (for example, a truncated packet), and: - if the user is invalid (it does not exist), then userauth_pubkey() returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE to the attacker; - if the user is valid (it exists), then sshpkt_get_u8() fails, and the server calls fatal() and closes its connection to the attacker. We believe that this issue warrants a CVE; it affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000), and is easier to exploit than previous OpenSSH username enumerations (which were all timing attacks): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210 We also believe that this should be posted to oss-security right away: the issue (commit) is already public, and if we spotted it, then others (not so well intentioned) did too. We are at your disposal for questions, comments, and further discussions. Thank you very much! With best regards, -- the Qualys Security Advisory team References: http://seclists.org/oss-sec/2018/q3/124 https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
CVE-2018-15473
https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
SUSE-SU-2018:3540-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1016370,1065000,1076957,1105010,1105180,1106163,1106726 CVE References: CVE-2016-10012,CVE-2016-10708,CVE-2017-15906,CVE-2018-15473,CVE-2018-15919 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): openssh-6.2p2-0.41.5.1, openssh-askpass-gnome-6.2p2-0.41.5.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): openssh-6.2p2-0.41.5.1, openssh-askpass-gnome-6.2p2-0.41.5.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssh-6.2p2-0.41.5.1, openssh-askpass-gnome-6.2p2-0.41.5.1
Patches created and submitted
reopen and reassign to security-team
SUSE-SU-2018:3686-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1081947,1091396,1105010,1106163,964336 CVE References: CVE-2018-15473,CVE-2018-15919 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): openssh-7.6p1-9.3.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): openssh-7.6p1-9.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): openssh-askpass-gnome-7.6p1-9.3.1 SUSE Linux Enterprise Module for Basesystem 15 (src): openssh-7.6p1-9.3.1
SUSE-SU-2018:3768-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1091396,1105010,1106163,964336 CVE References: CVE-2018-15473,CVE-2018-15919 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openssh-openssl1-6.6p1-19.6.1
SUSE-SU-2018:3776-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1091396,1105010,1106163,964336,982273 CVE References: CVE-2018-15473,CVE-2018-15919 Sources used: SUSE Linux Enterprise Server 12-SP1-LTSS (src): openssh-6.6p1-54.18.1, openssh-askpass-gnome-6.6p1-54.18.1 SUSE Linux Enterprise Server 12-LTSS (src): openssh-6.6p1-54.18.1, openssh-askpass-gnome-6.6p1-54.18.1
SUSE-SU-2018:3781-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1091396,1105010,1106163,964336,982273 CVE References: CVE-2018-15473,CVE-2018-15919 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openssh-6.6p1-36.6.1, openssh-askpass-gnome-6.6p1-36.6.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssh-6.6p1-36.6.1, openssh-askpass-gnome-6.6p1-36.6.1
openSUSE-SU-2018:3801-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1081947,1091396,1105010,1106163,964336 CVE References: CVE-2018-15473,CVE-2018-15919 Sources used: openSUSE Leap 15.0 (src): openssh-7.6p1-lp150.8.3.1, openssh-askpass-gnome-7.6p1-lp150.8.3.1
SUSE-SU-2018:3910-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1091396,1105010,964336 CVE References: CVE-2018-15473 Sources used: SUSE OpenStack Cloud 7 (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Linux Enterprise Server 12-SP4 (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Linux Enterprise Server 12-SP3 (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Linux Enterprise Desktop 12-SP4 (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Linux Enterprise Desktop 12-SP3 (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE Enterprise Storage 4 (src): openssh-7.2p2-74.30.1, openssh-askpass-gnome-7.2p2-74.30.1 SUSE CaaS Platform ALL (src): openssh-7.2p2-74.30.1 SUSE CaaS Platform 3.0 (src): openssh-7.2p2-74.30.1 OpenStack Cloud Magnum Orchestration 7 (src): openssh-7.2p2-74.30.1
done
openSUSE-SU-2018:3946-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1091396,1105010,964336 CVE References: CVE-2018-15473 Sources used: openSUSE Leap 42.3 (src): openssh-7.2p2-25.1, openssh-askpass-gnome-7.2p2-25.1
Did this patch fix the vulnerability of CVE-2018-15919 for SLES12SP2-LTSS? We can see the CVE-2018-15919 has been fixed. But there are no detailed version recommendations for the CVE page. Page link:https://www.suse.com/security/cve/CVE-2018-15919/ Who can confirm this question?
CVE-2018-15919 is tracked in bug 1106163
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2019-02-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64210
SUSE-SU-2018:3776-2: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1091396,1105010,1106163,964336,982273 CVE References: CVE-2018-15473,CVE-2018-15919 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): openssh-6.6p1-54.18.1, openssh-askpass-gnome-6.6p1-54.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.