If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades
https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/
|
Ads |
#2
|
|||
|
|||
Vulnerability Affects All OpenSSH Versions Released in the PastTwo Decades
On 2018-08-22, Nobody wrote:
https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/ Just for information, the "attack" is that openssh responds differently to an invalid connection attempt (eg malformed) if the user name exists on the server and if it does not. Thus one can try different user names and determine if they exist on the server, in the public key authentication route. It does not give passwords. I would call it a pretty low impact bug, since usernames have never been very secret anyway. CVE-2018-15473 |
#3
|
|||
|
|||
Vulnerability Affects All OpenSSH Versions Released in the PastTwo Decades
On 08/22/2018 04:04 PM, William Unruh wrote:
I would call it a pretty low impact bug, since usernames have never been very secret anyway. Agreed. I think this is an information leek comparable to an error message saying "your password is invalid" verses "no such user". -- Grant. . . . unix || die |
#4
|
|||
|
|||
Vulnerability Affects All OpenSSH Versions Released in the PastTwo Decades
On 2018-08-22, Grant Taylor wrote:
On 08/22/2018 04:04 PM, William Unruh wrote: I would call it a pretty low impact bug, since usernames have never been very secret anyway. Agreed. I think this is an information leek comparable to an error message saying "your password is invalid" verses "no such user". According to the article, if the username is valid, the misformed packet is just dropped, while if the username is not valid, it is returned with an error message. Ie, yes it is similar. Not good, but hardly "Vulnerability Affects All OpenSSH Versions..." |
#5
|
|||
|
|||
Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades
On 23 Aug 2018 00:29:56 GMT, William Unruh wrote:
According to the article, if the username is valid, the misformed packet is just dropped, while if the username is not valid, it is returned with an error message. Ie, yes it is similar. Not good, but hardly "Vulnerability Affects All OpenSSH Versions..." I, for one, appreciate the helpful clarifications by the latter three posters, where I agree with their assessment as to the level of the sky falling down. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|