OpenSSH user enumeration vulnerability (CVE-2018-15473)

An OpenSSH user enumeration vulnerability (CVE-2018-15473) became public via a GitHub commit. This vulnerability does not produce a list of valid usernames, but it does allow guessing of usernames.

By sending a malformed public key authentication message to an OpenSSH server, the existence of a particular username can be ascertained. If the user does not exist, an authentication failure message will be sent to the client. In case the user exists, failure to parse the message will abort the communication: the connection will be closed without sending back any message.

How to detect if a host is targeted by this attack? Search for this type of event:

fatal: ssh_packet_get_string: incomplete message [preauth]

keep an eye on your log files and block suspicious IP addresses that make too many SSH attempts (check with your firewall logs).

Affected Software/OS:
OpenSSH version 7.7 and prior on Windows.

Update to version 7.8 or later.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.