A user enumeration issue fixed upstream in dropbear has been announced: http://openwall.com/lists/oss-security/2018/08/27/3 A patch to fix the issue is linked from the message above. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
dropbear-2017.75-1.1.mga6.x86_64.rpm is now available in updates_testing. Here is a testing procedure: $ sudo urpmi dropbear python-paramiko $ sudo systemctl stop sshd.service $ sudo systemctl start dropbear.service $ ssh 127.0.0.1 echo Working => should return "Working" (this is a sanity test that the server works for ssh) $ curl -ORL https://bugfuzz.com/stuff/ssh-check-username.py $ python ssh-check-username.py --port 22 127.0.0.1 $USER => should return "[+] Valid username" $ python ssh-check-username.py --port 22 127.0.0.1 invaliduser9999 => should return "[*] Invalid username" for the vulnerable version, and "[+] Valid username" for the patched version. An update to Cauldron should first be made to 2018.76, or wait until the security patch makes it into an official release, which hopefully won't be much longer.
CC: (none) => danAssignee: dan => qa-bugsWhiteboard: MGA6TOO => MGA6TOO, has_procedure
N.B., to revert to the normal OpenSSH server after following the validation instructions above, run: $ sudo systemctl stop dropbear.service $ sudo systemctl start sshd.service
Proposed security advisory text: ======================== Updated the dropbear package to fix a security vulnerability: Dropbear is prone to a user enumeration vulnerability (CVE-2018-15599). An external user without credentials can determine whether a given username exists on a server. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15599 http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html Updated package in core/updates: dropbear-2017.75-1.1.mga6 Source RPMs: dropbear-2017.75-1.1.mga6
Status: NEW => ASSIGNEDKeywords: (none) => advisoryWhiteboard: MGA6TOO, has_procedure => MGA6TOO has_procedure
CVE: (none) => CVE-2018-15599
@Dan, we only add "advisory" keyword when its added to svn
Version: Cauldron => 6CC: (none) => tmbWhiteboard: MGA6TOO has_procedure => has_procedureKeywords: advisory => (none)
Whiteboard: has_procedure => (none)Keywords: (none) => has_procedure
Mageia 6, x86_64 Before update: Installed dropbear and python-paramiko. $ rpm -qa | grep dropbear dropbear-2017.75-1.mga6 Replaced sshd.service by dropbear.service. $ ssh 127.0.0.1 echo Working Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. lcl@127.0.0.1's password: Working $ curl -ORL https://bugfuzz.com/stuff/ssh-check-username.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2655 100 2655 0 0 3375 0 --:--:-- --:--:-- --:--:-- 3386 [lcl@difda ~]$ python ssh-check-username.py --port 22 127.0.0.1 $USER [+] Valid username Tried the PoC at http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html after opening TCP and UDP ports 22022. $ python ssh-check-username.py --port 22022 127.0.0.1 <user> [-] Failed to connect Same message for any user including root. So I do not understand what this is supposed to do. Reverted to sshd and updated dropbear. Switched to dropbear again and ran the validation tests. $ ssh 127.0.0.1 echo Working lcl@127.0.0.1's password: Working $ python ssh-check-username.py --port 22 127.0.0.1 $USER [+] Valid username Copied a file across the LAN then logged in to the target machine remotely and checked that the file had arrived. All OK. Remote login to the current machine from the remote login on the target machine which was running openSSHD. Working fine, so Dropbear and SSH can talk to each other.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
The "[-] Failed to connect" line is because you're altering the port number. Dropbear is configured to use port 22 instead. Please also run the invaliduser9999 check as that is the real one that tests that the security fix is working.
This is for the updated dropbear. $ rpm -qa | grep dropbear dropbear-2017.75-1.1.mga6 $ systemctl status dropbear ● dropbear.service - Dropbear SSH Server Daemon Loaded: loaded (/usr/lib/systemd/system/dropbear.service; enabled; vendor pre Active: active (running) since Thu 2018-09-13 11:30:11 BST; 2h 0min ago [...] $ python ssh-check-username.py --port 22 127.0.0.1 invaliduser9999 [+] Valid username $ python ssh-check-username.py --port 22 127.0.0.1 mysql [+] Valid username $ python ssh-check-username.py --port 22 127.0.0.1 root [+] Valid username $ python ssh-check-username.py --port 22 127.0.0.1 abc*%£££... [+] Valid username Still not fixed?
That looks fine. The idea is that all users return the same result so that there's no way to determine which users are valid and which are not.
Thanks Dan. Can be validated when advisory is pushed then.
Validating. Suggested advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0384.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
*** Bug 27951 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu