InfoSec

OpenSSH Prone to Username disclosure Vulnerability

Introduction

The username disclosure vulnerability allows a remote attacker to guess the username registered on an OpenSSH server. A Security researcher from Qualys spotted a commit in OpenBSD’s OpenSSH source code.

Description

The researcher identified the commit which fixes a security bug in the OpenSSH client since it was built. According to the researcher:

main

Figure: Code excerpt from auth2-pubkey.c

The attacker can try to authenticate a user with a malformed packet (for example, a truncated packet), and:

– if the user is invalid (it does not exist), then userauth_pubkey()  returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE to the attacker;

– if the user is valid (it exists), then sshpkt_get_u8() fails, and the server calls fatal() and closes its connection to the attacker.

The Prof of concept (PoC) python script available Here triggers the bug discussed above. Identifying an exact username might not pose an immediate security risk, but it exposes the username which later could be utilized to brute-force or dictionary attacks with a possible passwords combination or list. The PoC exploit could also be downloaded from https://www.exploit-db.com/exploits/45233/

Using the PoC Script

The PoC script requires Paramiko library (http://www.paramiko.org/)

When the PoC executes with a valid username: Bob

poc1

When the PoC executes with an invalid username: Alice

poc2

Conclusion

OpenSSH username enumeration vulnerability is an information disclosure vulnerability. It is not something like buffer overflow or remote code execution vulnerabilities that require immediate attention or poses a high risk. The vulnerability could be mitigated by disabling the vulnerable authentication approach until a patch is available. Also If you are not using public key authentication then the vulnerability could be mitigated by simply disabling it, since disabling the authentication method prevent the PoC from working. If you are using public key authentication it is recommended to not to switch to username/password authentication.

 

References:

https://www.exploit-db.com/exploits/45233/

https://news.bullwall.com/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/

http://seclists.org/oss-sec/2018/q3/136

https://nvd.nist.gov/vuln/detail/CVE-2018-15473

OpenSSH User Enumeration Vulnerability: a Close Look

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s