PT-2018-1486 · Openssh+6 · Openssh+6
Publicado
2018-08-17
·
Atualizado
2026-03-10
·
CVE-2018-15473
CVSS v2.0
7.8
Alta
| Vetor | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSSH versions 7.7 and earlier
Description
The issue is related to a user enumeration vulnerability. It is caused by the server's different responses to authentication requests when valid and invalid user accounts are present. An attacker can exploit this by sending specially crafted authentication requests to identify existing user accounts. The vulnerability is related to files auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Recommendations
For OpenSSH versions 7.7 and earlier, consider updating to a version later than 7.7 to resolve the issue. As a temporary workaround, consider restricting access to the authentication mechanism to minimize the risk of exploitation. Avoid using the authentication features in a way that could reveal user account information until the issue is resolved.
Exploit
Correção
Information Disclosure
Race Condition
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Centos
Ibm Aix
Openssh
Red Hat
Suse
Ubuntu