** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++-========================================-=========================-=========================-=====================================================================================
ii openssh-client 1:7.6p1-4ubuntu0.3 amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3 amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3 amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy [email protected]
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy [email protected]
[email protected]'s password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
