Vulnerability CVE-2018-15473


Published: 2018-08-17

Description:
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

See advisories in our WLB2 database:
Topic
Author
Date
Low
OpenSSH 7.7 - Username Enumeration
Justin Gardner
24.08.2018
Low
OpenSSH < 7.7 User Enumeration (2)
Leap Security
05.12.2018

Type:

CWE-200

(Information Exposure)

Vendor: Debian
Product: Debian linux 
Version: 9.0; 8.0;
Vendor: Openbsd
Product: Openssh 
Version:
7.7
7.6
7.5
7.4
7.3
7.2
7.1
7.0
6.9
6.8
6.7
6.6
6.5
6.4
6.3
6.2
6.1
6.0
5.9
5.8p2
5.8
5.7
5.6
5.5
5.4
5.3
5.2
5.1
5.0
4.9
4.8
4.7p1
4.7
4.6
4.5
4.4p1
4.4
4.3p2
4.3p1
4.3
4.2p1
4.2
4.1p1
4.1
4.0p1
4.0
3.9.1p1
3.9.1
3.9
3.8.1p1
3.8.1
3.8
3.7.1p2
3.7.1p1
3.7.1
3.7
3.6.1p2
3.6.1p1
3.6.1
3.6
3.5p1
3.5
3.4p1
3.4
3.3p1
3.3
3.2.3p1
3.2.2p1
3.2.2
3.2
3.1p1
3.1
3.0p1
3.0.2p1
3.0.2
3.0.1p1
3.0.1
3.0
2.9p2
2.9p1
2.9.9p2
2.9.9
2.9
2.5.2
2.5.1
2.5
2.3.1
2.3
2.2
2.1.1
2.1
2
See more versions on NVD
Vendor: Redhat
Product: Enterprise linux server 
Version: 6.0;
Product: Enterprise linux desktop 
Version: 6.0;
Product: Enterprise linux workstation 
Version: 6.0;
Vendor: Canonical
Product: Ubuntu linux 
Version:
18.04
16.04
14.04
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.openwall.com/lists/oss-security/2018/08/15/5
http://www.securityfocus.com/bid/105140
http://www.securitytracker.com/id/1041487
https://access.redhat.com/errata/RHSA-2019:0711
https://bugs.debian.org/906236
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
https://lists.debian.org/debian-lts-announce/2018/08/msg00022.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0011
https://security.gentoo.org/glsa/201810-03
https://security.netapp.com/advisory/ntap-20181101-0001/
https://usn.ubuntu.com/3809-1/
https://www.debian.org/security/2018/dsa-4280
https://www.exploit-db.com/exploits/45210/
https://www.exploit-db.com/exploits/45233/
https://www.exploit-db.com/exploits/45939/

Related CVE
CVE-2019-12817
arch/powerpc/mm/mmu_context_book3s64.c in the Linux kernel before 5.1.15 for powerpc has a bug where unrelated processes may be able to read/write to one another's virtual memory under certain conditions via an mmap above 512 TB. Only a subset of pow...
CVE-2019-12436
Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to an AD DC LDAP server Denial of Service. This is related to an attacker using the paged search control. The attacker must have directory read access in order to attempt an exploit.
CVE-2019-11479
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial ...
CVE-2019-11478
Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denia...
CVE-2019-11477
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This ha...
CVE-2019-0196
A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request ...
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions...
CVE-2019-12749
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference ...

Copyright 2019, cxsecurity.com

 

Back to Top