Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Aug 2018 12:35:52 +0200
From: Solar Designer <>
Cc: Dariusz Tytko <>
Subject: Re: OpenSSH Username Enumeration

On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote:
> We have published our writeup
>, hope it
> helps to better understanding the problem.

Thanks.  We have a policy here that the actual content must be in the
message, not only included by reference.  Luckily, Qualys already
brought some detail in here, but nevertheless I'm also attaching a text
export of your blog post.  Next time you post, please take care of this
on your own (if relevant).

"At least the most essential part of your message (e.g., vulnerability
detail and/or exploit) should be directly included in the message itself
(and in plain text), rather than only included by reference to an
external resource.  Posting links to relevant external resources as well
is acceptable, but posting only links is not.  Your message should
remain valuable even with all of the external resources gone."

As it relates to the actual issue (and past issues, which had to do with
the password hashing step being skipped or done differently), I'd like
to note that username enumeration will generally remain possible via
finer and more numerous timing measurements, primarily because user
lookup with getpwnam(3) and such is generally not timing-safe.  Fixing
some of these issues, we're just making username enumeration harder,
slower, and less reliable.  These are fine goals and it's great that
specific fixable issues are getting fixed, but I do see why the OpenSSH
team wouldn't formally treat this as a vulnerability.  OTOH, easy
username enumeration issues were treated as vulnerabilities (although
maybe not by upstreams, I just don't recall) at least for proftpd and
vsftpd (these got CVE IDs for such issues in 2004), and probably more.


View attachment "OpenSSH-users-enumeration-CVE-2018-15473.txt" of type "text/plain" (10588 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.