OpenSSH User Enumeration





  • For those who have their "22" open on all or most interfaces : they could have their users - the login names - being listed. Nothing more, nothing less.
    But as stated, when you use a public/private key - and probably also the password only method - you do not risk anything.

    If I understood the issue well, if pfSense is installed "by the rules and laws" => only trusted devices on LAN, all the others on extra OPTx interfaces with appropriate firewall rules, we all will be just fine.

    I didn't play with the python code yet, will do so this evening.



  • Humm.

    Debian 8 and 9 just updated their OpenSSL packages, related to this issue :

    --- Modifications pour openssh (openssh-client openssh-server openssh-sftp-server) ---
    openssh (1:6.7p1-5+deb8u5) jessie-security; urgency=high
    
      * CVE-2018-15473: Prevent a user enumeration vulnerability by delaying the
        bailout for invalid authenticating users until after the packet containing
        the request has been fully parsed. (closes: #906236)
    

    but, hey, my servers are exposed to the net with their SSH access . pfSense isn't.


  • Rebel Alliance Developer Netgate

    We pulled in patches for that to 2.4.4 a few days ago ( See https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html#security )

    It's only a gigantic deal if you consider usernames a secret. If you use key-based auth it's still not like they'll be able to get in. It's still a bad practice to let the attacker know a user exists, so it's worth fixing, but it's not the end of the world. It may lead to more focused brute forcing of password-based auth if nothing else.

    But your port 22 shouldn't be open to the world anyhow, especially not with password auth.

    So the best practice reactions to this are the same as any other SSH security issue:

    • Always use key-based authentication
    • Don't expose ssh port to the world
    • Update when a patched version is available (2.4.4 will be out in a couple weeks)


  • @jimp said in OpenSSH User Enumeration:

    We pulled in patches for that to 2.4.4 a few days ago ( See https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html#security )>
    But your port 22 shouldn't be open to the world anyhow, especially not with

    Yep- Just for the naysayers our there.. I opened 22 on my test firewall this morning before I left for the field. As I sit here having lunch I checked in with it.
    Did an update (daily on this box) to the latest snap. Within seconds of it being back up IP's started connecting to port 22 trying to guess user/pass combos. 16 different IP's in five minutes.

    I can't imagine what that would be like if it had been open for days..