Bug 1433824 (CVE-2017-2659) - CVE-2017-2659 dropbear: Information leak when given invalid username
Summary: CVE-2017-2659 dropbear: Information leak when given invalid username
Keywords:
Status: NEW
Alias: CVE-2017-2659
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20190318,reported=2...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-20 03:07 UTC by Doran Moppert
Modified: 2019-06-08 21:51 UTC (History)
5 users (show)

Fixed In Version: dropbear 2013.59
Doc Type: If docs needed, set a value
Doc Text:
It was found that dropbear, with GSSAPI, leaks whether the given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Doran Moppert 2017-03-20 03:07:25 UTC
It was found that dropbear with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.

This was fixed in dropbear-2013.59, as part of the following patch:

https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86

Comment 1 Doran Moppert 2017-03-20 03:11:35 UTC
Acknowledgments:

Name: Gilford Martino (Bae Systems), Scott McKee (Bae Systems)

Comment 2 Doran Moppert 2019-03-18 02:53:05 UTC
External References:

https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86


Note You need to log in before you can comment on or make changes to this bug.