OpenSSH Vulnerability Affects All Versions Back to 1999

A vulnerability, CVE-2018-15473, in all versions of OpenSSH was discovered by a Qualys researcher in late July. The bug could allow a remote threat actor to guess the usernames registered on an OpenSSH server. When a malformed authentication request is sent to an OpenSSH endpoint, the server either responds with an authentication failure if the username does not exist, or it will close the connection if the username does exist. This provides a threat actor with valid usernames registered on the server and they could use a brute-force attack to determine the associated password. OpenSSH is used with a variety of technologies and it is likely that billions of devices are affected by this vulnerability. The vulnerability has been patched for stable versions 1:6.7p1-1 and 1:7.7p1-4 of OpenSSH; however, it may take months for the patch to make it down to all affected applications and devices and proof-of-concept code is already available. Until patching is available, system administrators can disable OpenSSH authentication and use a separate authentication method for logging into remote systems, or disable the “public key authentication” method, forcing the user to manually enter their username and password every time they log into a device via OpenSSH. The NJCCIC recommends administrators of systems using OpenSSH review the Qualys Security Advisory team notice, test servers for presence of the vulnerability using NVISO’s step-by-step tutorial, and apply a mitigation unless or until a patch becomes available.