U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Expert found a flaw that affects all OpenSSH versions since 1999

Security expert discovered a username enumeration vulnerability in the OpenSSH client that affects all versions of the software that was released since 1999. Security expert Darek Tytko from securitum.pl has discovered a username enumeration vulnerability in the OpenSSH client. The flaw tracked as CVE-2018-15473 affects all versions of the software that was released since 1999. The vulnerability could […]

OpenSSH server

Verschluesselte Kommunikation mit OpenSSH

Security expert discovered a username enumeration vulnerability in the OpenSSH client that affects all versions of the software that was released since 1999.

Security expert Darek Tytko from securitum.pl has discovered a username enumeration vulnerability in the OpenSSH client. The flaw tracked as CVE-2018-15473 affects all versions of the software that was released since 1999. The vulnerability could be exploited by a remote attacker to guess the usernames registered on an OpenSSH server.

OpenSSH maintainers have now released a security fix, but since the OpenSSH client is included in a broad range of software applications many of them could remain vulnerable for a long time.

Researchers from Qualys have published a detailed analysis of the vulnerability once discovered that the bug was fixed.

The flaw could potentially impact billion of devices using the vulnerable software.

Let’s see in detail how attackers can trigger the flaw.

The attacker tries to authenticate on an OpenSSH endpoint using a malformed authentication request (i.e. a truncated packet).

A vulnerable OpenSSH server, in turn, would respond in two different ways.

If the username included in the malformed authentication request does not exist, the server responds with authentication failure reply, otherwise, the server closes the connection without a reply.

“The attacker can try to authenticate a user with a malformed packet (for example, a truncated packet), and:

  • if the user is invalid (it does not exist), then userauth_pubkey() returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE to the attacker;
  • if the user is valid (it exists), then sshpkt_get_u8() fails, and the server calls fatal() and closes its connection to the attacker.” states the advisory.

“We believe that this issue warrants a CVE; it affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000), and is easier to exploit than previous OpenSSH username enumerations (which were all timing attacks):”

OpenSSH

The flaw could allow an attacker to guess valid usernames registered on an SSH server, then to launch brute-force attacks to guess the password.

Open SSH versions 1:6.7p1-1 and 1:7.7p1-1— and the 1:7.7p1-4 unstable branch have addressed the flaw.

Proof-of-concept codes for the vulnerability are already available online:

The security researchers Didier Stevens of NVISO Labs also published a detailed analysis of the flaw that includes instructions to test servers against it.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – hacking, CVE-2018-15473)

[adrotate banner=”5″]

[adrotate banner=”13″]