A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Windows 10 » Windows 10 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old August 22nd 18, 10:44 PM posted to alt.privacy.anon-server,alt.os.linux,comp.os.linux.misc,alt.comp.os.windows-10
Nobody[_11_]
external usenet poster
 
Posts: 2
Default Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades

https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/
Ads
  #2  
Old August 22nd 18, 11:04 PM posted to alt.privacy.anon-server,alt.os.linux,comp.os.linux.misc,alt.comp.os.windows-10
William Unruh
external usenet poster
 
Posts: 173
Default Vulnerability Affects All OpenSSH Versions Released in the PastTwo Decades

On 2018-08-22, Nobody wrote:
https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/


Just for information, the "attack" is that openssh responds differently
to an invalid connection attempt (eg malformed) if the user name exists
on the server and if it does not. Thus one can try different user names
and determine if they exist on the server, in the public key
authentication route. It does not give passwords. I would call it a
pretty low impact bug, since usernames have never been very secret
anyway.
CVE-2018-15473
  #3  
Old August 22nd 18, 11:22 PM posted to alt.privacy.anon-server,alt.os.linux,comp.os.linux.misc,alt.comp.os.windows-10
Grant Taylor
external usenet poster
 
Posts: 7
Default Vulnerability Affects All OpenSSH Versions Released in the PastTwo Decades

On 08/22/2018 04:04 PM, William Unruh wrote:
I would call it a pretty low impact bug, since usernames have never been
very secret anyway.

Agreed.

I think this is an information leek comparable to an error message
saying "your password is invalid" verses "no such user".




--
Grant. . . .
unix || die
  #4  
Old August 23rd 18, 01:29 AM posted to alt.privacy.anon-server,alt.os.linux,comp.os.linux.misc,alt.comp.os.windows-10
William Unruh
external usenet poster
 
Posts: 173
Default Vulnerability Affects All OpenSSH Versions Released in the PastTwo Decades

On 2018-08-22, Grant Taylor wrote:
On 08/22/2018 04:04 PM, William Unruh wrote:
I would call it a pretty low impact bug, since usernames have never been
very secret anyway.

Agreed.

I think this is an information leek comparable to an error message
saying "your password is invalid" verses "no such user".


According to the article, if the username is valid, the misformed packet
is just dropped, while if the username is not valid, it is returned with
an error message. Ie, yes it is similar. Not good, but hardly
"Vulnerability Affects All OpenSSH Versions..."




  #5  
Old August 23rd 18, 02:37 AM posted to alt.privacy.anon-server,alt.os.linux,comp.os.linux.misc,alt.comp.os.windows-10
Arlen Holder
external usenet poster
 
Posts: 466
Default Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades

On 23 Aug 2018 00:29:56 GMT, William Unruh wrote:

According to the article, if the username is valid, the misformed packet
is just dropped, while if the username is not valid, it is returned with
an error message. Ie, yes it is similar. Not good, but hardly
"Vulnerability Affects All OpenSSH Versions..."


I, for one, appreciate the helpful clarifications by the latter three
posters, where I agree with their assessment as to the level of the sky
falling down.
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 01:23 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.