[oss-security] Re: About OpenSSH "user enumeration" / CVE-2018-15473
Damien Miller
djm at mindrot.org
Sat Aug 25 10:32:12 AEST 2018
On Fri, 24 Aug 2018, Solar Designer wrote:
> Hi Damien,
>
> Thank you for sharing these thoughts with the community.
>
> On Fri, Aug 24, 2018 at 10:58:20AM +1000, Damien Miller wrote:
> > Finally, and perhaps most importantly: there's a fundamental tradeoff
> > between attack surface and fixing this class of bug. As a concrete
> > example, fixing this one added about 150 lines of code to our
> > pre-authentication attack surface. In this case, we were willing to do
> > this because we had confidence in the additional parsing, mostly because
> > it's been reviewed several times and we've conducted a decent amount of
> > fuzzing on it. But, given the choice between leaving a known account
> > validity oracle or exposing something we don't trust, we'll choose the
> > former every time.
>
> Can you summarize for us all (on these mailing lists) the commits
> leading to OpenSSH 7.8 that deal with this issue and add "about 150
> lines of code", please?
It's this one:
> * sshd(8): avoid observable differences in request parsing that could
> be used to determine whether a target user is valid.
(Commit 74287f5df9)
Note that there's no new code added, but delaying the checks means more
code is exposed before the authentication handler bails out.
-d
More information about the openssh-unix-dev
mailing list