openssh bugs - Mar 2019 - [Bug 2975] New: CVE-2018-15919

https://bugzilla.mindrot.org/show_bug.cgi?id=2975

            Bug ID: 2975
           Summary: CVE-2018-15919
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jsikes at suse.de

Created attachment 3249
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3249&action=edit
Patch for "user enumeration via auth2-gss.c"

Hi. I created a patch for CVE-2018-15919, "user enumeration via
auth2-gss.c" (even though it is not user enumeration).

While this patch appears to fix the problem, at least from my small
amount of testing, I can't be sure that I am not introducing a new bug
or a new security hole. Hopefully some people who are more
knowledgeable can take a look.

The fix is two parts:

1) When a valid username is presented, sshd responds with
SSH_MSG_USERAUTH_INFO_REQUEST. Otherwise, sshd responds with
SSH_MSG_USERAUTH_FAILURE.

My solution to this is to remove the code that presents the
SSH_MSG_USERAUTH_FAILURE when an invalid username is presented. The
expectation is that the login will be verified if/when the gssapi
credentials are presented later.

This way, the attacker will be presented with
SSH_MSG_USERAUTH_INFO_REQUEST regardless of whether the user exists or
not.

2) The failure count is not incremented when the username is valid.

I created an interim value, was_postponed, that records the value of
postponed so that when postponed is reset and the authentication is
checked it can be used to determine whether the failure count can be
increased.

I hope that you will find this useful.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.