Thanks, Kazza. That certainly helped. I also had a word with Marc and we reached to the conclusion that Stretch isn't affected with this backporting problem.
Thanks, again! \o/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Bug description: I was recently using a 18.04 machine and noticed that the result of connecting to ssh with an arbitrary public key varied depending if the user was valid. After some investigation, it appears to only be present when CVE-2018-15473.patch has been applied. Directly pulling a 18.04 docker image and installing openssh server (currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration vulnerability in the default config. Below shows the setup of environment: $ docker pull ubuntu:18.04 18.04: Pulling from library/ubuntu Digest: sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f Status: Image is up to date for ubuntu:18.04 docker.io/library/ubuntu:18.04 $ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04 root@75569fbf0b03:/# apt update ...snip... root@75569fbf0b03:/# apt install openssh-server ...snip... root@75569fbf0b03:/# dpkg-query -l openssh\* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-========================================-=========================-=========================-===================================================================================== ii openssh-client 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines root@75569fbf0b03:/# mkdir /run/sshd root@75569fbf0b03:/# /usr/sbin/sshd -D Then to perform user enumeration, connecting with a public key results in user enumeration: * in the following id_rsa-dummy.pub is removed as it slightly changes message flow * I have not checked different versions of the ssh client $ ssh -V OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 $ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy $ rm id_rsa-dummy.pub $ ssh -i id_rsa-dummy invalid@172.17.0.2 Connection closed by 172.17.0.2 port 22 $ ssh -i id_rsa-dummy root@172.17.0.2 root@172.17.0.2's password: That is, when invalid users are provided to public key auth the connection is closed by the server. Otherwise, it will move onto the next auth method. This can be improved by adding "ssh -o PasswordAuthentication=no" when connecting to avoid password prompt and get an easy to script error message. I have verified that this behaviour is present after starting with original source and only applying CVE-2018-15473.patch from the openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch this behaviour is not present. $ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch 06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz 6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
