Bug 23493

Summary: dropbear new security issue CVE-2018-15599
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, dan, davidwhodgins, sysadmin-bugs, tarazed25, tmb, zombie_ryushu
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: dropbear-2017.75-2.mga7.src.rpm CVE: CVE-2018-15599
Status comment:

Description David Walser 2018-08-28 13:12:10 CEST 
A user enumeration issue fixed upstream in dropbear has been announced:
http://openwall.com/lists/oss-security/2018/08/27/3

A patch to fix the issue is linked from the message above.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-28 13:12:24 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Dan Fandrich 2018-09-12 00:19:56 CEST 
dropbear-2017.75-1.1.mga6.x86_64.rpm is now available in updates_testing. Here is a testing procedure:

$ sudo urpmi dropbear python-paramiko
$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh 127.0.0.1 echo Working
=> should return "Working" (this is a sanity test that the server works for ssh)
$ curl -ORL https://bugfuzz.com/stuff/ssh-check-username.py
$ python ssh-check-username.py --port 22 127.0.0.1 $USER
=> should return "[+] Valid username"
$ python ssh-check-username.py --port 22 127.0.0.1 invaliduser9999
=> should return "[*] Invalid username" for the vulnerable version, and "[+] Valid username" for the patched version.

An update to Cauldron should first be made to 2018.76, or wait until the security patch makes it into an official release, which hopefully won't be much longer.

CC: (none) => dan
Assignee: dan => qa-bugs
Whiteboard: MGA6TOO => MGA6TOO, has_procedure

Comment 2 Dan Fandrich 2018-09-12 00:21:10 CEST 
N.B., to revert to the normal OpenSSH server after following the validation instructions above, run:

$ sudo systemctl stop dropbear.service
$ sudo systemctl start sshd.service
Comment 3 Dan Fandrich 2018-09-12 00:29:22 CEST 
Proposed security advisory text:

========================
Updated the dropbear package to fix a security vulnerability:

Dropbear is prone to a user enumeration vulnerability (CVE-2018-15599). An external user without credentials can determine whether a given username exists on a server. 

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15599
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html

Updated package in core/updates:
dropbear-2017.75-1.1.mga6

Source RPMs:
dropbear-2017.75-1.1.mga6

Status: NEW => ASSIGNED
Keywords: (none) => advisory
Whiteboard: MGA6TOO, has_procedure => MGA6TOO has_procedure

Dan Fandrich 2018-09-12 00:44:17 CEST

CVE: (none) => CVE-2018-15599

Comment 4 Thomas Backlund 2018-09-12 17:57:16 CEST 
@Dan, we only add "advisory" keyword when its added to svn

Version: Cauldron => 6
CC: (none) => tmb
Whiteboard: MGA6TOO has_procedure => has_procedure
Keywords: advisory => (none)

David Walser 2018-09-12 21:03:04 CEST

Whiteboard: has_procedure => (none)
Keywords: (none) => has_procedure

Comment 5 Len Lawrence 2018-09-13 12:46:18 CEST 
Mageia 6, x86_64

Before update:
Installed dropbear and python-paramiko.
$ rpm -qa | grep dropbear
dropbear-2017.75-1.mga6

Replaced sshd.service by dropbear.service.

$ ssh 127.0.0.1 echo Working
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
lcl@127.0.0.1's password: 
Working

$ curl -ORL https://bugfuzz.com/stuff/ssh-check-username.py
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2655  100  2655    0     0   3375      0 --:--:-- --:--:-- --:--:--  3386
[lcl@difda ~]$ python ssh-check-username.py --port 22 127.0.0.1 $USER
[+] Valid username

Tried the PoC at http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html after opening TCP and UDP ports 22022.
$ python ssh-check-username.py --port 22022 127.0.0.1 <user>
[-] Failed to connect
Same message for any user including root.  So I do not understand what this is supposed to do.

Reverted to sshd and updated dropbear.

Switched to dropbear again and ran the validation tests.
$ ssh 127.0.0.1 echo Working
lcl@127.0.0.1's password: 
Working
$ python ssh-check-username.py --port 22 127.0.0.1 $USER
[+] Valid username

Copied a file across the LAN then logged in to the target machine remotely and checked that the file had arrived.  All OK.
Remote login to the current machine from the remote login on the target machine which was running openSSHD.  Working fine, so Dropbear and SSH can talk to each other.

CC: (none) => tarazed25

Len Lawrence 2018-09-13 12:46:38 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 6 Dan Fandrich 2018-09-13 13:24:20 CEST 
The "[-] Failed to connect" line is because you're altering the port number. Dropbear is configured to use port 22 instead. Please also run the invaliduser9999 check as that is the real one that tests that the security fix is working.
Comment 7 Len Lawrence 2018-09-13 14:37:10 CEST 
This is for the updated dropbear.
$ rpm -qa | grep dropbear
dropbear-2017.75-1.1.mga6
$ systemctl status dropbear
● dropbear.service - Dropbear SSH Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dropbear.service; enabled; vendor pre
   Active: active (running) since Thu 2018-09-13 11:30:11 BST; 2h 0min ago
[...]

$ python ssh-check-username.py --port 22 127.0.0.1 invaliduser9999
[+] Valid username
$ python ssh-check-username.py --port 22 127.0.0.1 mysql
[+] Valid username
$ python ssh-check-username.py --port 22 127.0.0.1 root
[+] Valid username
$ python ssh-check-username.py --port 22 127.0.0.1 abc*%£££...
[+] Valid username

Still not fixed?
Comment 8 Dan Fandrich 2018-09-13 15:50:59 CEST 
That looks fine. The idea is that all users return the same result so that there's no way to determine which users are valid and which are not.
Comment 9 Len Lawrence 2018-09-13 16:42:27 CEST 
Thanks Dan.  Can be validated when advisory is pushed then.
Comment 10 Thomas Andrews 2018-09-21 04:10:10 CEST 
Validating. Suggested advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 17:04:28 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2018-09-21 18:27:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0384.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 12 David Walser 2020-12-27 22:41:49 CET 
*** Bug 27951 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu