
CVE-2016-6210: Opensshd user enumeration - campuscodi
http://seclists.org/fulldisclosure/2016/Jul/51
======
ams6110
You shouldn't be allowing password authentication in ssh in the first place.

~~~
LinuxBender
To add to that, sshd should never be exposed directly on the internet. There
are a myriad of ways to hide it. Port-knocking, poor-mans port-knocking using
iptables and xt_recent, Ostiary server/client, firewall to specific networks,
just to name a few.

------
yeukhon
> This issue was reported to OPENSSH developer group and they have sent a
> patch ( don't know if patch was released yet). (thanks to 'dtucker () zip
> com au' for his quick reply and fix suggestion).

Is this another incident of pre-mature announcement? I expect a patch TO BE
MADE AVAILABLE before someone disclose this vulnerability. Or any kind of
vulnerability, to be exact.

~~~
throwaway2048
Not everyone agrees

------
jtchang
Kind of interesting but I think installing fail2ban will reduce the severity
quite a bit. However it still allows an attacker to figure out if a username
is valid or not (just not mass enumerate all the users).

I guess this is just information leakage due to a timing attack.

------
Gunstick
Is this an old bug? 2013 ...
[https://www.devconsole.info/?p=341](https://www.devconsole.info/?p=341)

------
INTPenis
I tested the PoC on a lot of different ssh servers and couldn't see any
consistency at all in the times. Not sure how to exploit this.

------
peteretep
Is enumeration the right word here? You can't get a list of users, you can
check whether a given user is valid.

~~~
minitech
Maybe another term would be better, but it is in common use (example:
[https://www.owasp.org/index.php/Testing_for_Account_Enumerat...](https://www.owasp.org/index.php/Testing_for_Account_Enumeration_and_Guessable_User_Account_\(OTG-
IDENT-004\))), possibly because usernames aren't meant to be resistant to
brute force.

~~~
runesoerensen
> because usernames aren't meant to be resistant to brute force

Any particular reason for saying this? User/account/email enumeration usually
involve brute force AFAIK, so lack of resistance would leave a system
vulnerable to such attacks.

~~~
minitech
Usernames are low-entropy human-readable identifiers. If you're getting at
login rate limiting and other best practices regarding how things _should_ be:
right! That's why it's a term for a vulnerability.

~~~
runesoerensen
You're right - I thought you were referring to an authentication system's
resistance against username enumeration (rather than the actual username).
Thanks for clarifying!

