Hi, sorry I don't know if I send this to the correct channel. I have notice that OpenSSH has recognized the presence of the user enumeration as a vulnerability, http://seclists.org/fulldisclosure/2016/Jul/51 (CVE-2016-6210). I want to make an appreciation, this is a old vulnerability already announced three years ago. https://blog.curesec.com/article/blog/OpenSSH-User-Enumeration-Time-Based-Attack-20.html http://seclists.org/fulldisclosure/2013/Jul/88 http://www.behindthefirewalls.com/2014/07/openssh-user-enumeration-time-based.html I would like to point out that there is another vulnerability present in the bug, it's possible in certain circumstances to provoke a DOS condition in the access to the ssh server, I made a brief study of this possibility here: https://www.devconsole.info/?p=382 and included this attack in my tool that exploit this vulnerability: https://github.com/c0r3dump3d/osueta It's necessary to request another CVE-ID for the DOS attack? At least, I think it should be clarified in the announce of the vulnerability. Regards.
On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at autistici.org> wrote:> Hi, sorry I don't know if I send this to the correct channel.It is. [..]> it's possible in certain circumstances to provoke a DOS > condition in the access to the ssh server.We have been discussing this a bit, and what we have just added is a simple hard limit on the allowed size of a password string at 1k, above which the password is immediately refused. There's other possible embellishments (eg, add a possibly variable delay) but we haven't decided on any yet. Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
I thought this was already addressed with the internal blowfish hash of "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK" to where all passwords were checked against this to prevent timing analysis for user enumeration. On 20 July 2016 at 19:45, Darren Tucker <dtucker at zip.com.au> wrote:> On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at autistici.org> > wrote: > > Hi, sorry I don't know if I send this to the correct channel. > > It is. > > [..] > > it's possible in certain circumstances to provoke a DOS > > condition in the access to the ssh server. > > We have been discussing this a bit, and what we have just added is a > simple hard limit on the allowed size of a password string at 1k, > above which the password is immediately refused. There's other > possible embellishments (eg, add a possibly variable delay) but we > haven't decided on any yet. > > Thanks. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >