oss-sec mailing list archives
Re: OpenSSH Username Enumeration
From: Solar Designer <solar () openwall com>
Date: Thu, 23 Aug 2018 12:35:52 +0200
On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote:
We have published our writeup https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/, hope it helps to better understanding the problem.
Thanks. We have a policy here that the actual content must be in the message, not only included by reference. Luckily, Qualys already brought some detail in here, but nevertheless I'm also attaching a text export of your blog post. Next time you post, please take care of this on your own (if relevant). https://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines "At least the most essential part of your message (e.g., vulnerability detail and/or exploit) should be directly included in the message itself (and in plain text), rather than only included by reference to an external resource. Posting links to relevant external resources as well is acceptable, but posting only links is not. Your message should remain valuable even with all of the external resources gone." As it relates to the actual issue (and past issues, which had to do with the password hashing step being skipped or done differently), I'd like to note that username enumeration will generally remain possible via finer and more numerous timing measurements, primarily because user lookup with getpwnam(3) and such is generally not timing-safe. Fixing some of these issues, we're just making username enumeration harder, slower, and less reliable. These are fine goals and it's great that specific fixable issues are getting fixed, but I do see why the OpenSSH team wouldn't formally treat this as a vulnerability. OTOH, easy username enumeration issues were treated as vulnerabilities (although maybe not by upstreams, I just don't recall) at least for proftpd and vsftpd (these got CVE IDs for such issues in 2004), and probably more. Alexander
Attachment:
OpenSSH-users-enumeration-CVE-2018-15473.txt
Description:
Current thread:
- OpenSSH Username Enumeration Qualys Security Advisory (Aug 15)
- Re: OpenSSH Username Enumeration Matthew Daley (Aug 16)
- Re: OpenSSH Username Enumeration Salvatore Bonaccorso (Aug 17)
- Re: OpenSSH Username Enumeration Dariusz Tytko (Aug 17)
- Re: OpenSSH Username Enumeration Dariusz Tytko (Aug 23)
- Re: OpenSSH Username Enumeration Solar Designer (Aug 23)
- Re: OpenSSH Username Enumeration Qualys Security Advisory (Aug 23)