OpenSSH CVE-2018-15473 User Enumeration Vulnerability

OpenSSH is prone to a user-enumeration vulnerability.

An attacker may leverage this issue to harvest valid user accounts, which may aid in brute-force attacks.

OpenSSH through 7.7 are vulnerable; other versions may also be affected.

Information

Bugtraq ID: 105140
Class: Access Validation Error
CVE: CVE-2018-15473

Remote: Yes
Local: No
Published: Aug 16 2018 12:00AM
Updated: Aug 16 2018 12:00AM
Credit: The vendor reported this issue.
Vulnerable: Redhat Enterprise Linux 7
Redhat Enterprise Linux 6
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Redhat Enterprise Linux 5
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 2.9
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
OpenSSH OpenSSH 2.5.2
- Caldera OpenUnix 8.0
- Caldera UnixWare 7.1.1
- Wirex Immunix OS 6.2
OpenSSH OpenSSH 2.5.1
+ NetBSD NetBSD 1.5.1
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. SuSE eMail Server III
- SCO Open Server 5.0.6 a
- SCO Open Server 5.0.6
- SCO Open Server 5.0.5
- SCO Open Server 5.0.4
- SCO Open Server 5.0.3
- SCO Open Server 5.0.2
- SCO Open Server 5.0.1
- SCO Open Server 5.0
+ SuSE Linux 7.3
+ SuSE Linux 7.2
+ SuSE Linux 7.1
+ SuSE SUSE Linux Enterprise Server 7
OpenSSH OpenSSH 2.5
OpenSSH OpenSSH 2.3
- SuSE Linux 7.0 sparc
- SuSE Linux 7.0 ppc
- SuSE Linux 7.0 i386
- SuSE Linux 7.0 alpha
- SuSE Linux 6.4 ppc
- SuSE Linux 6.4 i386
- SuSE Linux 6.4 alpha
OpenSSH OpenSSH 2.1.1
+ SuSE Linux 7.0 sparc
+ SuSE Linux 7.0 ppc
+ SuSE Linux 7.0 i386
+ SuSE Linux 7.0 alpha
OpenSSH OpenSSH 2.1
OpenSSH OpenSSH 1.2.3
+ Blue Coat Systems Security Gateway OS 2.1.5001 SP1
OpenSSH OpenSSH 1.2.2
OpenSSH OpenSSH 7.7
OpenSSH OpenSSH 7.6
OpenSSH OpenSSH 7.4
OpenSSH OpenSSH 7.3
OpenSSH OpenSSH 7.2
OpenSSH OpenSSH 7.1
OpenSSH OpenSSH 7.0
OpenSSH OpenSSH 6.9
OpenSSH OpenSSH 6.8
OpenSSH OpenSSH 6.7
+ NetBSD NetBSD 1.5.1
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
- SCO Open Server 5.0.6 a
- SCO Open Server 5.0.6
- SCO Open Server 5.0.5
- SCO Open Server 5.0.4
- SCO Open Server 5.0.3
- SCO Open Server 5.0.2
- SCO Open Server 5.0.1
- SCO Open Server 5.0
+ SuSE Linux 7.3
+ SuSE Linux 7.2
+ SuSE Linux 7.1
+ SuSE SUSE Linux Enterprise Server 7
OpenSSH OpenSSH 6.6
OpenSSH OpenSSH 6.5
OpenSSH OpenSSH 6.4
OpenSSH OpenSSH 6.3
OpenSSH OpenSSH 6.2
OpenSSH OpenSSH 6.1
OpenSSH OpenSSH 6.0
OpenSSH OpenSSH 5.8
OpenSSH OpenSSH 5.7
OpenSSH OpenSSH 5.6
OpenSSH OpenSSH 5.5
OpenSSH OpenSSH 4.5
OpenSSH OpenSSH 1.127
OpenSSH OpenSSH 1.126
OpenBSD OpenSSH 6.0
OpenBSD OpenSSH 3.0.2
OpenBSD OpenSSH 2.5.2
OpenBSD OpenSSH 2.3.1
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
OpenBSD OpenSSH 2.1
OpenBSD OpenSSH 1.2.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
OpenBSD OpenSSH 1.2
OpenBSD OpenSSH 6.6
OpenBSD OpenSSH 6.5
OpenBSD OpenSSH 6.4
OpenBSD OpenSSH 5.9
OpenBSD OpenSSH 5.8
OpenBSD OpenSSH 5.7
OpenBSD OpenSSH 5.4
OpenBSD OpenSSH 5.2
OpenBSD OpenSSH 5.1
OpenBSD OpenSSH 4.9
OpenBSD OpenSSH 4.8
OpenBSD OpenSSH 4.7
OpenBSD OpenSSH 4.6
OpenBSD OpenSSH 4.4
OpenBSD OpenSSH 4.3
OpenBSD OpenSSH 4.2
OpenBSD OpenSSH 4.1
OpenBSD OpenSSH 4.0

Not Vulnerable:

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• delay bailout for invalid authenticating user until after the packet (openbsd)
  
• CVE-2018-15473-Exploit (Rhynorater)
  
• OpenSSH Homepage (OpenSSH)
  
• Bug 1619063 - (CVE-2018-15473) CVE-2018-15473 openssh: User enumeration via mal (Redhat)
  
• CVE-2018-15473 (Redhat)
  

Source: www.securityfocus.com