Patch for CVE-2018-15919

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi everyone,

I created a patch for CVE-2018-15919, "user enumeration via auth2-gss.c" (even though it is not user enumeration).

While this patch appears to fix the problem, at least from my small amount of testing, I can't be sure that I am not introducing a new bug or a new security hole. Hopefully some people who are more knowledgeable can take a look.

The fix is two parts:

1) When a valid username is presented, sshd responds with SSH_MSG_USERAUTH_INFO_REQUEST. Otherwise, sshd responds with SSH_MSG_USERAUTH_FAILURE.

My solution to this is to remove the code that presents the SSH_MSG_USERAUTH_FAILURE when an invalid username is presented. The expectation is that the login will be invalidated if/when the gssapi credentials are presented later.

2) The failure count is not incremented when a valid username is presented, but credentials are not.

I created an interim value, was_postponed, that records the value of postponed so that when postponed is reset and the authentication is checked it can be used to determine whether the failure count can be increased.

I hope that you will find this useful.

--Thanks,

--Jason Sikes

Index: openssh-7.6p1/auth2-gss.c
===================================================================
--- openssh-7.6p1.orig/auth2-gss.c
+++ openssh-7.6p1/auth2-gss.c
@@ -135,12 +135,6 @@ userauth_gssapi(struct ssh *ssh)
 		return (0);
 	}
 
-	if (!authctxt->valid || authctxt->user == NULL) {
-		debug2("%s: disabled because of invalid user", __func__);
-		free(doid);
-		return (0);
-	}
-
 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
 		if (ctxt != NULL)
 			ssh_gssapi_delete_ctx(&ctxt);
Index: openssh-7.6p1/auth2.c
===================================================================
--- openssh-7.6p1.orig/auth2.c
+++ openssh-7.6p1/auth2.c
@@ -223,6 +223,7 @@ input_userauth_request(int type, u_int32
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 	int authenticated = 0;
+	int was_postponed = authctxt->postponed;
 
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
@@ -287,6 +288,8 @@ input_userauth_request(int type, u_int32
 	if (m != NULL && authctxt->failures < options.max_authtries) {
 		debug2("input_userauth_request: try method %s", method);
 		authenticated =	m->userauth(ssh);
+		if (!authenticated && was_postponed)
+			authctxt->failures++;
 	}
 	userauth_finish(ssh, authenticated, method, NULL);
 

Attachment: pEpkey.asc
Description: application/pgp-keys

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux