CVE-2018-15599: Infoleak
First published: Tue Aug 21 2018(Updated: )
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian Debian Linux | =8.0 | |
| Dropbear Ssh Project Dropbear Ssh | <=2018.76 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
- http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002109.html
- https://lists.debian.org/debian-lts-announce/2018/08/msg00026.html
- https://matt.ucc.asn.au/dropbear/CHANGES
- https://old.reddit.com/r/blackhat/comments/97ywnm/openssh_username_enumeration/e4e05n2/
- collector/nvd-index
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/dropbear ssh project
- canonical/dropbear ssh project dropbear ssh
- version/dropbear ssh project dropbear ssh/2018.76