The username disclosure vulnerability allows a remote attacker to guess the username registered on an OpenSSH server. A Security researcher from Qualys spotted a commit in OpenBSD’s OpenSSH source code.
The researcher identified the commit which fixes a security bug in the OpenSSH client since it was built. According to the researcher:
Figure: Code excerpt from auth2-pubkey.c
The attacker can try to authenticate a user with a malformed packet (for example, a truncated packet), and:
– if the user is invalid (it does not exist), then userauth_pubkey() returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE to the attacker;
– if the user is valid (it exists), then sshpkt_get_u8() fails, and the server calls fatal() and closes its connection to the attacker.
The Prof of concept (PoC) python script available Here triggers the bug discussed above. Identifying an exact username might not pose an immediate security risk, but it exposes the username which later could be utilized to brute-force or dictionary attacks with a possible passwords combination or list. The PoC exploit could also be downloaded from https://www.exploit-db.com/exploits/45233/
Using the PoC Script
The PoC script requires Paramiko library (http://www.paramiko.org/)
When the PoC executes with a valid username: Bob
When the PoC executes with an invalid username: Alice
OpenSSH username enumeration vulnerability is an information disclosure vulnerability. It is not something like buffer overflow or remote code execution vulnerabilities that require immediate attention or poses a high risk. The vulnerability could be mitigated by disabling the vulnerable authentication approach until a patch is available. Also If you are not using public key authentication then the vulnerability could be mitigated by simply disabling it, since disabling the authentication method prevent the PoC from working. If you are using public key authentication it is recommended to not to switch to username/password authentication.