When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter response time from the server for non-existing users. This allows remote attacker to enumerate existing users on system logging via SSHD. Published in: http://seclists.org/fulldisclosure/2016/Jul/51
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1357443]
OpenSSH in RHEL 6, 7 uses a helper binary "unix_chkpwd" (via the pam_unix module) to verify the passwords. Even when long passwords are passed to OpenSSH, they are truncated to 512 bytes when passed to the helper binary. Hence, RHEL 6 and 7 are not affected by this timing attack which utilizes very long passwords. $ tail -f /var/log/secure ... Jul 21 09:49:44 localhost unix_chkpwd[2810]: password check failed for user (test) Jul 21 09:49:44 localhost sshd[2808]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gateway user=test To obtain above logs, turn on "audit" flag for pam_unix.so module in /etc/pam.d/system-auth and /etc/pam.d/password-auth files (see "man pam_unix"). Relevant files: Linux-PAM-1.1.8/modules/pam_unix/unix_chkpwd.c Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c Linux-PAM-1.1.8/modules/pam_unix/support.c (_unix_verify_password, _unix_run_helper_binary) Linux-PAM-1.1.8/modules/pam_unix/passverify.c (get_pwd_hash, get_account_info) openssh-6.6p1/auth-pam.c https://www.trustwave.com/Resources/SpiderLabs-Blog/Username-Enumeration-against-OpenSSH-SELinux-with-CVE-2015-3238/ is also a relevant read. OpenSSH under RHEL 5 does not use the helper binary "unix_chkpwd" and it does the password verification itself (in the sshd process). OpenSSH under RHEL 5 triggers high CPU usage when processing very long passwords. However, RHEL uses the faster (50x) md5crypt instead of sha256crypt/sha512crypt for hashing passwords. Hence, the delay generated by processing very long passwords is quite small (compared to sha512crypt) and barely noticeable over the network. I am marking rhel-5/openssh as affected but it would be hard to exploit this in practice. OpenSSH under Ubuntu uses PAM but does not use the "unix_chkpwd" helper binary, hence the long passwords are not truncated automatically. The CPU consumption of sshd reaches 100% for multiple seconds when handling a password of 25000 characters. Due to these reasons, Ubuntu 16.04 LTS is vulnerable to this user enumeration attack. $ gdb --args /usr/sbin/sshd -D -d # this can be used for debugging sshd Under Ubuntu, the above gdb session will hit a breakpoint on "crypt_r" function (which does password hashing) which further confirms that the helper binary "unix_chkpwd" is not used under Ubuntu. Update (26-April-2017): Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 ship with SELinux enabled by default. However, the helper binary "unix_chkpwd" (the usage of which mitigates this flaw) is not used when SELinux is disabled. Disabling SELinux exposes the OpenSSH software to this flaw.
openssh-7.2p2-10.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue in OpenSSH is mitigated by the usage of SELinux in Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:2563 https://access.redhat.com/errata/RHSA-2017:2563
I haven't looked into why or how, but the fix does not work on CentOS6 (I don't have a RHEL6 available to check, but I assume it's the as it's the same RPM and everything). Using https://www.exploit-db.com/exploits/40136/ I can consistently discover users with passwords once I'd disabled selinux.