#VU14440 User enumeration in OpenSSH


Published: 2020-03-18 | Updated: 2023-03-09

Vulnerability identifier: #VU14440

Vulnerability risk: Medium

CVSSv3.1: 5.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:F/RL:O/RC:C]

CVE-ID: CVE-2018-15473

CWE-ID: CWE-388

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description

The vulnerability allows a remote attacker to enumerate all accounts on the system.

The vulnerability exists due to a logical error in auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c files when processing authentication requests. A remote attacker can send a specially crafted chain of packets and monitor behavior of openssh server to determine presence of a valid username. The server will drop connection upon receiving a malformed authentication packets if the username is valid.

Mitigation

Update to version 7.8.
You can also install patch from GIT repository:

Vulnerable software versions

OpenSSH: 2.3.0p1 - 7.7p1

External links
http://seclists.org/oss-sec/2018/q3/124
http://bugfuzz.com/stuff/ssh-check-username.py
http://www.openssh.com/txt/release-7.8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Cloud Tiering Appliance Family
Multiple vulnerabilities in Dell EMC Unity Family
Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Cloud Foundry cflinuxfs3 update for OpenSSH
Ubuntu update for openssh
Red Hat update for openssh
Red Hat update for openssh
OpenSUSE Linux update for openssh
OpenSUSE Linux update for openssh
Ubuntu update for OpenSSH