1433824 – (CVE-2017-2659) CVE-2017-2659 dropbear: Information leak when given invalid username

Bug 1433824 (CVE-2017-2659) - CVE-2017-2659 dropbear: Information leak when given invalid username

Summary: CVE-2017-2659 dropbear: Information leak when given invalid username

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-2659
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-20 03:07 UTC by Doran Moppert
Modified:	2021-10-21 11:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:	dropbear 2013.59
Doc Type:	If docs needed, set a value
Doc Text:	It was found that dropbear, with GSSAPI, leaks whether the given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
Clone Of:
Environment:
Last Closed:	2021-10-21 11:52:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Doran Moppert 2017-03-20 03:07:25 UTC

It was found that dropbear with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.

This was fixed in dropbear-2013.59, as part of the following patch:

https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86

Comment 1 Doran Moppert 2017-03-20 03:11:35 UTC

Acknowledgments:

Name: Gilford Martino (Bae Systems), Scott McKee (Bae Systems)

Comment 2 Doran Moppert 2019-03-18 02:53:05 UTC

External References:

https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86

Note You need to log in before you can comment on or make changes to this bug.