From owner-freebsd-security@freebsd.org  Wed Apr 24 13:49:26 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50BAB1599443
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 24 Apr 2019 13:49:26 +0000 (UTC) (envelope-from cameron@ctc.com)
Received: from pm4.ctc.com (pm4.ctc.com [147.160.99.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "pm4.ctc.com", Issuer "RapidSSL RSA CA 2018" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 44E7D8D4A0
 for <FreeBSD-security@freebsd.org>; Wed, 24 Apr 2019 13:49:22 +0000 (UTC)
 (envelope-from cameron@ctc.com)
Received: from pps.filterd (pm4.ctc.com [127.0.0.1])
 by pm4.ctc.com (8.16.0.27/8.16.0.27) with SMTP id x3ODElve019925;
 Wed, 24 Apr 2019 09:20:20 -0400
Received: from server3a.ctc.com ([10.160.17.12])
 by pm4.ctc.com with ESMTP id 2s2a64s4m6-1
 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO);
 Wed, 24 Apr 2019 09:20:20 -0400
Received: from linux18.ctc.com (linux18.ctc.com [147.160.10.18])
 by server3a.ctc.com (8.14.4/8.14.4) with ESMTP id x3ODKLdZ029452;
 Wed, 24 Apr 2019 09:20:21 -0400
Received: (from cameron@localhost)
 by linux18.ctc.com (8.14.4/8.14.4/Submit) id x3ODKKIi002963;
 Wed, 24 Apr 2019 09:20:20 -0400
Date: Wed, 24 Apr 2019 09:20:20 -0400
From: "Cameron, Frank J" <cameron@ctc.com>
To: Brahmanand Reddy <brahma.gdb@gmail.com>
Cc: FreeBSD-security@freebsd.org, openssh@openssh.com
Subject: Re: POC and patch for the CVE-2018-15473
Message-ID: <20190424132020.GX32299@linux18.ctc.com>
References: <CAKsRH7mBLc3FTJ08uETkniG=wdwyaZrvpYYJAxYmj+pPRU4ibw@mail.gmail.com>
 <86mukfhfb3.fsf@next.des.no>
 <CAKsRH7njoE9VD+gxg6ZrZ4vPT_4b9-Hnz+1b8fVeQVcjse91mQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKsRH7njoE9VD+gxg6ZrZ4vPT_4b9-Hnz+1b8fVeQVcjse91mQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Rspamd-Queue-Id: 44E7D8D4A0
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of cameron@ctc.com designates 147.160.99.24
 as permitted sender) smtp.mailfrom=cameron@ctc.com
X-Spamd-Result: default: False [-2.19 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.99)[-0.986,0]; RCVD_COUNT_FIVE(0.00)[5];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-0.99)[-0.990,0];
 TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[ctc.com]; TO_DN_SOME(0.00)[];
 NEURAL_SPAM_SHORT(0.10)[0.104,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 MX_GOOD(-0.01)[pm4.ctc.com,pm5.ctc.com];
 RCVD_IN_DNSWL_NONE(0.00)[24.99.160.147.list.dnswl.org : 127.0.10.0];
 IP_SCORE(-0.01)[country: US(-0.06)];
 FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:7816, ipnet:147.160.99.0/24, country:US];
 RCVD_TLS_LAST(0.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 13:49:26 -0000

Brahmanand Reddy wrote:
> CVE-2018-15473 is a "user existence oracle bug which does not meet our
> criteria for security advisories".
> 
> You mean this vulnerability which will impact/affects only for Oracle
> base?  kindly confirm.

"Oracle" in the ancient Greek sense of a person through whom a deity
speaks and/or reveals hidden knowledge[1].

Quoting Damien Miller[2]:
"I and the other OpenSSH developers don't consider this class of bug a
significant vulnerability... this isn't "user enumeration" because it
doesn't yield the ability to enumerate or list accounts. It's an oracle;
allowing an attacker to make brute-force guesses of account names and
verify whether they exist on the target system."

[1] https://www.merriam-webster.com/dictionary/oracle
[2] https://www.openwall.com/lists/oss-security/2018/08/24/1

-----------------------------------------------------------------
This message and any files transmitted within are intended
solely for the addressee or its representative and may contain
company proprietary information.  If you are not the intended
recipient, notify the sender immediately and delete this
message.  Publication, reproduction, forwarding, or content
disclosure is prohibited without the consent of the original
sender and may be unlawful.

Concurrent Technologies Corporation and its Affiliates.
www.ctc.com  1-800-282-4392
-----------------------------------------------------------------