• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Severe Hikvision HikCentral product flaws: What You Need to Know

 | 

U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

 | 

Google addressed two Android flaws actively exploited in targeted attacks

 | 

U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

 | 

Android droppers evolved into versatile tools to spread malware

 | 

Jaguar Land Rover shuts down systems after cyberattack, no evidence of customer data theft

 | 

Cloudflare blocked a record 11.5 Tbps DDoS attack

 | 

Palo Alto Networks disclosed a data breach linked to Salesloft Drift incident

 | 

Von der Leyen’s plane hit by suspected Russian GPS Jamming in Bulgaria, landed Safely

 | 

Supply-chain attack hits Zscaler via Salesloft Drift, leaking customer info

 | 

Crooks exploit Meta malvertising to target Android users with Brokewell

 | 

North Korea’s APT37 deploys RokRAT in new phishing campaign against academics

 | 

Fraudster stole over $1.5 million from city of Baltimore

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 60

 | 

Security Affairs newsletter Round 539 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Amazon blocks APT29 campaign targeting Microsoft device code authentication

 | 

Lab Dookhtegan hacking group disrupts communications on dozens of Iranian ships

 | 

New zero-click exploit allegedly used to hack WhatsApp users

 | 

US and Dutch Police dismantle VerifTools fake ID marketplace

 | 

Experts warn of actively exploited FreePBX zero-day

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • CVE-2018-15919 username enumeration flaw affects OpenSSH Versions Since 2011

CVE-2018-15919 username enumeration flaw affects OpenSSH Versions Since 2011

Pierluigi Paganini August 29, 2018

Qualys experts discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011.

Security experts from Qualys discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011.

A few days ago the security expert Darek Tytko from securitum.pl has reported a similar username enumeration vulnerability in the OpenSSH client. The flaw tracked as CVE-2018-15473 affects all versions of the software that was released since 1999. The vulnerability could be exploited by a remote attacker to guess the usernames registered on an OpenSSH server.

Researchers from Qualys discovered that another username enumeration vulnerability affects the latest version of OpenSSH, the issue was tracked as CVE-2018-15919.

Qualys researchers discovered the vulnerability while analyzing a commit in the OpenBSD source code.

“While properly reviewing the now-famous OpenSSH commit https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 we discovered another username-enumeration vulnerability in auth2-gss.c (enabled by default on at least Fedora, CentOS, and Red Hat Enterprise Linux).” reads the security advisory.

“This vulnerability affects OpenSSH versions from 5.9 (September 6, 2011) to the recently released 7.8 (August 24, 2018), inclusive. It is quite similar to CVE-2018-15473 (it is not a timing attack), but it is also markedly different (code excerpts from OpenSSH 7.8p1)”

The issue resides in the auth2-gss.c module that is enabled by default on many Linux distros, including CentOS, Fedora, and Red Hat Enterprise Linux.

When a user tries to authenticate, an attacker receives the same packet whether the user is valid or not as explained in the report.

  • “if the user is valid, then “server_caused_failure” is set, “failures” is not incremented, and the attacker can attempt the GSSAPI authentication indefinitely;
  • if the user is invalid, then “server_caused_failure” is not set, “failures” is incremented (at line 412), and the server will disconnect the attacker (at line 417) after max_authtries authentication attempts (6, by default).”

If the user is valid, then ‘server_caused_failure’ is set,” this is not true when the user that does not exist.

Experts explained that the number of attempts for an invalid user is limited to six, while if a valid user is provided the attacker can attempt the GSSAPI authentication indefinitely.

The latter case allows the attacker to run brute-force attacks on the password.

Experts published the following proof-of-concept code for the CVE-2018-15919 flaw:

diff -pruN openssh-7.8p1/gss-genr.c openssh-7.8p1-poc/gss-genr.c
--- openssh-7.8p1/gss-genr.c    2018-08-22 22:41:42.000000000 -0700
+++ openssh-7.8p1-poc/gss-genr.c        2018-08-22 22:41:42.000000000 -0700
@@ -286,6 +286,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
 
        ssh_gssapi_build_ctx(ctx);
        ssh_gssapi_set_oid(*ctx, oid);
+       return 1;
        major = ssh_gssapi_import_name(*ctx, host);
        if (!GSS_ERROR(major)) {
                major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
diff -pruN openssh-7.8p1/sshconnect2.c openssh-7.8p1-poc/sshconnect2.c
--- openssh-7.8p1/sshconnect2.c 2018-08-22 22:41:42.000000000 -0700
+++ openssh-7.8p1-poc/sshconnect2.c     2018-08-22 22:41:42.000000000 -0700
@@ -701,6 +701,7 @@ userauth_gssapi(Authctxt *authctxt)
        ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
        ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
        ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
+       return 1;
 
        mech++; /* Move along to next candidate */

CVE-2018-15919

According to the experts from Qualys, the OpenSSH maintainers do not consider the username enumeration vulnerability as critical and for this reason, it hasn’t planned a fix in a short time.

“Open-source developer Damien Miller working on OpenSSH says that system libraries do not treat this type of information disclosure as a threat because usernames are considered the non-secret part of user identity, useless to an attacker without the accompanying password.” states Bleeping Computer.

“Specific users on a system can often give away the exact operating system or distribution, as well as services that are running on the system, especially if they have default usernames for those services,” Jimmy Graham, Director of Product Management at Qualys. told BleepingComputer.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-15919, OpenSSH)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

CVE-2018-15919 Hacking openssh Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini September 04, 2025
Severe Hikvision HikCentral product flaws: What You Need to Know
Read more
Pierluigi Paganini September 04, 2025
U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Severe Hikvision HikCentral product flaws: What You Need to Know

    Hacking / September 04, 2025

    U.S. CISA adds TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 04, 2025

    Crooks turn HexStrike AI into a weapon for fresh vulnerabilities

    Cyber Crime / September 03, 2025

    Google addressed two Android flaws actively exploited in targeted attacks

    Security / September 03, 2025

    U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog

    Hacking / September 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT