OpenSSH User name Enumeration Vulnerability : CVE-2018-15473

Posted by Author Deepak Shanker on Posted on

OpenSSH is vulnerable to user enumeration attack.  The issue affects all versions through 7.7. The vulnerability is tracked via CVE-2018-15473. Upon successful exploitation an attacker can test validity of usernames based on the target servers response. This information can be exploited in various ways depending upon the attackers resources, capabilities and the target scenario. PoC‘s exploiting this vulnerability are available publicly.

Vulnerability
When an SSH client tries to authenticate against a server with a non-existent username, the code snippet below is executed. Here the ‘if’ conditions passes and debug2() is called to register an error.

if (!authctxt->valid) 
{
   debug2("%s: disabled because of invalid user", __func__);
   return 0;
}

Similarly when the code is parsing an SSH packet and it  encounters an error fatal() is called to register a system log with priority LOG_ERR or LOG_CRIT. The code snippet below shows the condition leading to fatal().

if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
    (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
    fatal("%s: parse request failed: %s", __func__, ssh_err(r));
    pktype = sshkey_type_from_name(pkalg);
.
.
.

We ensure that fatal() is invoked by creating a condition where sshpkt_get_string() returns an error. This is done by crafting an SSH packet where the declared size is set to be more than SSHBUF_SIZE_MAX - 4. A modified version of Paramiko module can be used to generate this packet. When we try to authenticate against with a existing username we receive error “No existing session”, for a non-existent username we get “Authentication failed.”. Essentially we are using the authentication server error responses to verify that the username is correct/valid/existing.

Mitigation
Qualys customers scan their network using QID:38726 to detect vulnerable versions of OpenSSH. Qualys will continue to add more detections as vendors release their patches to address CVE-2018-15473.

Qualys Detection
QID:38726 (Authenticated): Vulnerable OpenSSH versions are detected by running ssh -V command.
QID:38726 (Unauthenticated): Vulnerable OpenSSH versions are detected based on the banner exposed by the target machine.

Please continue to follow Qualys Threat Protection for information on vulnerabilities.

References
CVE-2018-15473
OpenSSH – users enumeration – CVE-2018-15473
About OpenSSH “user enumeration” / CVE-2018-15473

1 thought on “OpenSSH User name Enumeration Vulnerability : CVE-2018-15473”

  1. In a vacuum is User Enumeration really a High? The vulnerability itself does not lead to actual exploitation. Should this not be a Medium?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *