Bug 23452

Summary: openssh new user enumeration security issue (CVE-2018-15473)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: guillomovitch, mageia, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: openssh-7.5p1-2.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-08-16 13:08:06 CEST 
A security issue fixed upstream in OpenSSH has been announced on August 15:
http://openwall.com/lists/oss-security/2018/08/15/5

The commit fixing the issue is linked from the message above.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-16 13:08:22 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-16 13:45:10 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2018-08-16 21:05:28 CEST 
Fixed in cauldron by openssh-7.7p1-1.mga7.
David Walser 2018-08-17 04:30:20 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2018-08-19 21:02:18 CEST 
This has been assigned CVE-2018-15473:
http://openwall.com/lists/oss-security/2018/08/17/8

Summary: openssh new user enumeration security issue => openssh new user enumeration security issue (CVE-2018-15473)

Comment 4 David Walser 2018-08-23 04:08:28 CEST 
Patched package uploaded by Guillaume.  Advisory to come later.

openssh-7.5p1-2.2.mga6
openssh-clients-7.5p1-2.2.mga6
openssh-server-7.5p1-2.2.mga6
openssh-askpass-common-7.5p1-2.2.mga6
openssh-askpass-7.5p1-2.2.mga6
openssh-askpass-gnome-7.5p1-2.2.mga6
openssh-ldap-7.5p1-2.2.mga6

from openssh-7.5p1-2.2.mga6.src.rpm

Assignee: guillomovitch => qa-bugs
CC: (none) => guillomovitch

Comment 5 David Walser 2018-08-23 12:36:27 CEST 
Full writeup of the issue:
https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
Comment 6 Thomas Backlund 2018-08-24 00:44:55 CEST 
Advisory, added to svn:

type: security
subject: Updated openssh packages fix security vulnerability
CVE:
 - CVE-2018-15473
src:
  6:
   core:
     - openssh-7.5p1-2.2.mga6
description: |
  OpenSSH through 7.7 is prone to a user enumeration vulnerability due to
  not delaying bailout for an invalid authenticating user until after the
  packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c (CVE-2018-15473).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23452
 - https://openwall.com/lists/oss-security/2018/08/15/5
 - https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Thomas Backlund 2018-08-24 01:00:16 CEST 
works on mga infra

Whiteboard: (none) => MGA6-64-OK

Comment 8 PC LX 2018-08-24 16:14:59 CEST 
Installed and tested without issues.

Test included:
- client and server shell (bash) session.
- scp files to/from a server.
- rsync files to/from a server.
- pssh to various servers.
- port forwarding (local port to remote cpanel listening on lo device, local port to remote mysql listening on lo device).
- ed25519 key authentication.
- ssh-agent
- ssh-add

local and remote systems: Mageia 6, x86_64, Intel CPU or AMD CPU.

$ uname -a
Linux marte 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 14:50:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep openssh | sort
openssh-7.5p1-2.2.mga6
openssh-askpass-7.5p1-2.2.mga6
openssh-askpass-common-7.5p1-2.2.mga6
openssh-askpass-qt4-1.0.1-12.mga6
openssh-askpass-qt5-2.0.3-1.mga6
openssh-clients-7.5p1-2.2.mga6
openssh-server-7.5p1-2.2.mga6

CC: (none) => mageia

Thomas Backlund 2018-08-31 22:12:49 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-08-31 23:13:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0363.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED