Bug 1623184 (CVE-2018-15919)

Summary: CVE-2018-15919 openssh: User enumeration via malformed packets in authentication requests
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, ahardin, apmukher, bleanhar, bmcclain, ccoleman, dbaker, dedgar, dfediuck, dmoppert, dwalsh, eedri, fabio.goia, gsuckevi, huangwenji, jfch, jgoulding, jijia, jjelen, lkundrak, mattias.ellert, mchappel, mgoldboi, michal.skrivanek, mperina, plautrba, sbonazzo, sherold, slawomir, songshuaishuai2, sthangav, trankin, wangye54, yozone, ysoni
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenSSH Server, where failed GSSAPI authentication attempts elicit different responses depending on whether the target username exists, a remote attacker could exploit this behavior to enumerate valid usernames on a system, potentially aiding in further attacks. This issue could be leveraged in reconnaissance efforts to identify existing user accounts.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:54:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1623185, 1623186, 1661050    
Bug Blocks: 1623187    

Description Laura Pardo 2018-08-28 16:38:05 UTC 
A flaw was found in OpenSSH versions from 5.9 (September 6, 2011) to the recently released 7.8 (August 24, 2018), inclusive. A remotely observable behaviour in auth-gss2.c could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. Similar to CVE-2018-15473 (it is not a timing attack)


References:
http://seclists.org/oss-sec/2018/q3/180
Comment 1 Laura Pardo 2018-08-28 16:38:48 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1623185]
Comment 9 Shuai Song 2018-12-04 10:28:43 UTC 
Hi everyone, Will this cve be fixed in redhat7 ? 

looking for your reply.Thanks.
Comment 13 fabio.goia 2019-06-27 19:35:44 UTC 
Hi everybody

I didn't find an update for this issue to the RHEL 7. 
Is there a fix?

Thanks
Comment 14 wangye 2019-09-25 03:44:22 UTC 
Is this vulnerability still not fixed? Is there a fix? Still think that "system libraries will not treat this type of information leakage as a threat, because the username is considered to be a non-secret part of the user's identity, and an attacker without a password is useless"?
Comment 21 Doran Moppert 2020-02-11 23:03:08 UTC 
Mitigation:

If GSSAPI Authentication is not required, this flaw can be mitigated by changing the global configuration in `/etc/ssh/sshd_config` from `GSSAPIAuthentication yes` to `GSSAPIAuthentication no`.
Comment 22 Jakub Jelen 2020-02-12 07:02:02 UTC 
I updated the doc text. There is nothing like OpenSSHD (even though it is mentioned in few of the advisories. I remember there was something like this for windows, but I can not find it now. We ship OpenSSH in RHEL and its server is called sshd. I would keep it as "OpenSSH server" or sshd, not the combination of both.