Re: [oss-security] Re: About OpenSSH "user enumeration" / CVE-2018-15473

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 24 Aug 2018, Solar Designer wrote:

> Hi Damien,
> 
> Thank you for sharing these thoughts with the community.
> 
> On Fri, Aug 24, 2018 at 10:58:20AM +1000, Damien Miller wrote:
> > Finally, and perhaps most importantly: there's a fundamental tradeoff
> > between attack surface and fixing this class of bug. As a concrete
> > example, fixing this one added about 150 lines of code to our
> > pre-authentication attack surface. In this case, we were willing to do
> > this because we had confidence in the additional parsing, mostly because
> > it's been reviewed several times and we've conducted a decent amount of
> > fuzzing on it. But, given the choice between leaving a known account
> > validity oracle or exposing something we don't trust, we'll choose the
> > former every time.
> 
> Can you summarize for us all (on these mailing lists) the commits
> leading to OpenSSH 7.8 that deal with this issue and add "about 150
> lines of code", please? 

It's this one:

>  * sshd(8): avoid observable differences in request parsing that could
>    be used to determine whether a target user is valid.

(Commit 74287f5df9)

Note that there's no new code added, but delaying the checks means more
code is exposed before the authentication handler bails out.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux