CVE-2018-15473 patch introduce user enumeration vulnerability

This sounds like the following, which the upstream OpenSSH developers chose to ignore:

https://www.openwall.com/lists/oss-security/2018/08/27/2

Could you confirm? Thanks!

That issue was assigned CVE-2018-15919

Thanks for the suggestion. But I believe this is a separate issue:

1. As far as I can tell, this issue is related to public key and not gssapi auth method. In the tests I made GSSAPIAuthentication was set to default (i.e. turned off).

2. I have been unable to reproduce it in vanilla OpenSSH releases. Only time I can reproduce it is after patch CVE-2018-15473.patch has been applied.

Further just to check, I have just tried with a vanilla openssh-7.8p1.tar.gz (as identified in https://www.openwall.com/lists/oss-security/2018/08/27/2) and the issue is not present. Also, I broke CVE-2018-15473.patch up and only applied changes that it makes to auth2-pubkey.c (i.e. ignoring that changes to auth2-gss.c) and the issue was present.

Regardless, considering the age of the software and the effort required to property track this down I guess this will be marked as a WontFix issue too.

Thanks for the info, I'll do some tests on my end to investigate the issue.

I have located the issue, it is caused by a backporting error in the CVE-2018-15473 patch. I have uploaded a package for building in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once it is finished building, could you please test the package and let us know if it also fixes the issue for you? Thanks, and thanks for reporting this!

Nice work, thanks Marc!

To confirm, I tested 1:7.6p1-4ubuntu0.5 from the ppa and the vulnerability was not present. Further I run a standard CVE-2018-15473 exploit script and it was unable to determine the difference between a valid and invalid user. So all appears correct from my perspective.

Great, thanks for testing! I'll release it tomorrow.

This bug was fixed in the package openssh - 1:7.6p1-4ubuntu0.5

---------------
openssh (1:7.6p1-4ubuntu0.5) bionic-security; urgency=medium

  * SECURITY REGRESSION: User enumeration issue (LP: #1934501)
    - debian/patches/CVE-2018-15473.patch: updated to fix bad patch
      backport.

 -- Marc Deslauriers <email address hidden> Wed, 11 Aug 2021 14:02:09 -0400

Can I make this bug public now that the update has been released?

Fine by me, thanks for checking.

Hi. I believe my Ubuntu systems just received this patch and I believe it failed to install:
------------
Can't exec "/tmp/openssh-server.config.neW0Pf": Permission denied at /usr/share/perl/5.26/IPC/Open3.pm line 178.
open2: exec of /tmp/openssh-server.config.neW0Pf configure 1:7.6p1-4ubuntu0.3 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
-------------

I think this is due to the fact I have noexec on /tmp.
Is it possible to bundle the changes in the package instead of putting a random temporary file in /tmp and attempt to execute it?

This isn't specific to the openssh update. Debian packages use tools such as debconf that need to write to /tmp to function correctly.

Here's the debconf bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=223683

Hi Kazza, Marc,

I was wondering if you can repro the same bug in Debian Stretch? Do you have the capacity to test that as well, please? :)

Hello Utkarsh,

I've just quickly run through the steps in the original bug report against a recent Debian Stretch docker image and as not able to reproduce it.

Image tested:
$ docker images | grep stretch
debian stretch d74a4ce6ed8b 11 days ago 101MB

If you are concerned, I suggest looking into the history/VCS logs of:
* debian/patches/CVE-2018-15473.patch

Then you can know if it traces back to Debian.

Hope it help.

Thanks, Kazza. That certainly helped. I also had a word with Marc and we reached to the conclusion that Stretch isn't affected with this backporting problem.

Thanks, again! \o/