CVE-2018-15473 patch introduce user enumeration vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
I was recently using a 18.04 machine and noticed that the result of connecting to ssh with an arbitrary public key varied depending if the user was valid.
After some investigation, it appears to only be present when CVE-2018-
Directly pulling a 18.04 docker image and installing openssh server (currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest: sha256:
Status: Image is up to date for ubuntu:18.04
docker.
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b
...snip...
root@75569fbf0b
...snip...
root@75569fbf0b
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii openssh-client 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
root@75569fbf0b
root@75569fbf0b
Then to perform user enumeration, connecting with a public key results in user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the connection is closed by the server. Otherwise, it will move onto the next auth method. This can be improved by adding "ssh -o PasswordAuthent
I have verified that this behaviour is present after starting with original source and only applying CVE-2018-
$ md5sum openssh-
06a88699018e5fe
6101d47f542690b
CVE References
information type: | Private Security → Public Security |
This sounds like the following, which the upstream OpenSSH developers chose to ignore:
https:/ /www.openwall. com/lists/ oss-security/ 2018/08/ 27/2
Could you confirm? Thanks!