Openssh has an username enumeration vulnerability in the OpenSSH client affecting all versions of the software

The vulnerability, tracked as CVE-2018-15473, could be exploited by a remote attacker to guess the usernames registered on an OpenSSH server.

The flaw could potentially impact billion of devices using the vulnerable software.

How does it work?

The attacker tries to authenticate on an OpenSSH endpoint using a malformed authentication request

A vulnerable OpenSSH server, in turn, would respond in two different ways.

If the username included in the malformed authentication request does not exist, the server responds with authentication failure reply, otherwise, the server closes the connection without a reply.

When the attacker tries to authenticate a user with a malformed packet, what could happen is:

- if the user is invalid (it does not exist), then userauth_pubkey() returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE to the attacker;

- if the user is valid, then sshpkt_get_u8() fails, and the server calls fatal() and closes its connection to the attacker.

The flaw could allow an attacker to guess valid usernames registered on an SSH server, then to launch brute-force attacks to guess the password.

Affected versions:

- Open SSH versions 1:6.7p1-1 and 1:7.7p1-1— and the 1:7.7p1-4 unstable branch