<div dir="ltr"><div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.riskbasedsecurity.com/2018/08/apache-struts-distraction-continues-while-over-600-additional-vulnerabilities-have-been-released/">https://www.riskbasedsecurity.com/2018/08/apache-struts-distraction-continues-while-over-600-additional-vulnerabilities-have-been-released/</a><br><br><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">While everyone has been heavily focused on, or we could say distracted by,<span> </span></span><a href="http://www.riskbasedsecurity.com/2018/08/watch-out-another-nasty-apache-struts-vulnerability-has-been-disclosed/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">the recent Apache Struts vulnerability</span></a><span style="font-weight:400">, the steady flow of additional vulnerabilities being disclosed continues. As<span> </span></span><a href="http://www.riskbasedsecurity.com/2018/08/more-than-10000-vulnerabilities-disclosed-so-far-in-2018-over-3000-you-may-not-know-about/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">we recently pointed out</span></a><span style="font-weight:400">, the flood of vulnerabilities is not letting up this year. They range from the fairly mundane that likely affects few people, to ones that are not as severe but likely impact every major organization, to the truly bad ones like the Struts vulnerability. We figured this would be a good time to give some attention to one of the medium severity issues that may escape notice by organizations frantically patching Struts.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">On July 30, 2018, Dariusz Tytko (<a href="http://securitum.pl">securitum.pl</a>) and Michał Sajdak<span> </span></span><a href="https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">contributed a commit to the OpenSSH package</span></a><span style="font-weight:400">maintained by OpenBSD that had a fairly innocuous commit message: “</span><i><span style="font-weight:400">delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed.</span></i><span style="font-weight:400">” This commit went largely unnoticed despite its security impact. On August 15, security firm Qualys p</span><a href="http://seclists.org/oss-sec/2018/q3/124" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">osted a message to the OSS-sec mail list</span></a><span style="font-weight:400"><span> </span>pointing out this commit, its security impact, and noting that it deserved a CVE assignment. A day later,<span> </span></span><a href="https://packetstormsecurity.com/files/148955/OpenSSH-7.x-Username-Enumeration.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">a working exploit was posted to PacketStorm</span></a><span style="font-weight:400">. The following day, CVE assigned an ID for the issue (</span><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-15473" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">CVE-2018-15473</span></a><span style="font-weight:400">)</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">This in turn led Bleeping Computer to<span> </span></span><a href="https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">cover the vulnerability on August 22nd</span></a><span style="font-weight:400">, where they also pointed out that it affects all versions of OpenSSH released in the past two decades. A day later, Sophos’ Naked Security blog wrote about the vulnerability as well,<span> </span></span><a href="https://nakedsecurity.sophos.com/2018/08/23/vulnerability-in-openssh-for-two-decades-no-the-sky-isnt-falling/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">saying: “</span><i><span style="font-weight:400">no the sky isn’t falling</span></i><span style="font-weight:400">”</span></a><span style="font-weight:400">.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">As with the Apache Struts vulnerability, which has increasingly gotten more attention in news articles and mentions on social media, this OpenSSH enumeration vulnerability is also getting some attention. This is one of the factors that goes into the<span> </span></span><a href="https://vulndb.cyberriskanalytics.com/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">VulnDB</span></a><span style="font-weight:400"><span> </span>Social Risk Score, which we assign to vulnerabilities to better highlight issues that may fly under the radar due to a low CVSS score or perception that the issue is not serious.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial;text-align:center"><b>OpenSSH Delay Bailout Packet Parsing Remote Username Enumeration Weakness</b></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Looking at VulnDB, we see that this vulnerability has a 5.0 CVSSv2 base score, but it can be triggered remotely, has a publicly available exploit, and as mentioned the Social Risk Score is high. As we have seen, there are some organizations that prioritize solely on CVSS scores and may potentially ignore this issue.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">One of the reasons that this issue may be more serious than it initially appears on the surface is that it affects just about every Linux distribution out there, as OpenSSH is enabled by default. Versions between 5.9, released on September 6, 2011, and version 7.8, released on August 24, 2018, are impacted. This means that a high percentage of Unix-flavored systems are impacted by this vulnerability.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Enumeration vulnerabilities, which allow a remote attacker to slowly and systematically determine information about a system, have long been debated in the Information Security community.<span> </span></span><a href="http://seclists.org/oss-sec/2018/q3/170" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Some argue</span></a><span style="font-weight:400"><span> </span>that due to the time and effort required, they are not serious, and that other mitigations make them even less severe. For example, do organizations care that an enumeration attack carried out over ten days might reveal dozens of valid usernames on a system when a strong password policy implemented would make guessing a password almost impossible? While that is a great point, others argue that a dedicated attacker might just be able to do that or use the information on a mismanaged system that doesn’t have a policy properly enforced. Worse, if they are using a public repository of credentials collected from prior data breaches such as tracked in<span> </span></span><a href="https://www.cyberriskanalytics.com/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Cyber Risk Analytics</span></a><span style="font-weight:400">, the chances of them knowing a password without having to conduct a brute-force attack go up significantly.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Another point to remember is that enumeration attacks, like remote path disclosures, may not be serious unto themselves but may be one of the first steps in a longer exploit chain. That username may carry over to a web application that doesn’t enforce as strong of a password policy as the underlying Unix system. That username may be an avenue to enumerate additional information via a web-based user directory, giving access to files that were not meant to be public. While most professionals will say that “security through obscurity is no security at all”, obscurity definitely has a place in a defense-in-depth approach. Even if it is not intentional, obscurity often works as additional security for organizations (even if only slightly).</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Regardless of where your beliefs sit on the enumeration severity spectrum, it is important to note that organizations relying on vulnerability intelligence from CVE/NVD<span> </span></span><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-15473" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">are still in the dark</span></a><span style="font-weight:400">. Like hundreds of other vulnerabilities, both critical and minor, NVD has not assigned a CVSS score or CPE details to this issue.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">While details and news coverage continues coming out on the OpenSSH enumeration issue, it was revealed that Dropbear SSH, a popular replacement for OpenSSH, also<span> </span></span><a href="http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">has a similar remote enumeration issue</span></a><span style="font-weight:400">. The exploit for OpenSSH works equally well against Dropbear SSH. To top it all off, a second OpenSSH remote enumeration issue was disclosed on August 27th (CVE-2018-15919), and like the first one, you guessed it, it is<span> </span></span><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-15919" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">still awaiting analysis by NVD</span></a><span style="font-weight:400">.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Looking at the bigger picture,<span> </span></span><a href="https://vulndb.cyberriskanalytics.com/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">VulnDB<span> </span></span></a><span style="font-weight:400">has over 500 remote enumeration vulnerabilities in which an attacker can potentially determine multiple pieces of information about a system (e.g. valid usernames, file existence, user groups, password policy, etc.). Almost 300 of those are cases where an attacker can enumerate valid account names. Sixteen of those are in SSH services. Nine of those SSH-based enumeration vulnerabilities are in OpenSSH, meaning that while this may not be considered as serious a vulnerability by some, the issue keeps coming back.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Each organization, of course, needs to prioritize patching and remediation based on their own networks, assets, and exposures. However, as always, we want to remind organizations that a CVSS score should not be the only factor to consider. Given the attention that this vulnerability is getting, this issue is something that we recommend each organization quickly evaluate, and if deemed an exposure, work on prioritizing the fix.</span></p><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div>