@seth-arnold,
You are talking about a different type of vulnerability scanning that is
not part of the Qualys service in question (External vulnerability scan,
"black box" scan methodology). PCI DSS also mandates regular internal
scans and penetration tests. Qualys, as well as other vendors provid
Root, that script is suitable for timing attacks against ssh. This issue
is easier to use to enumerate users, but does require a different
approach. There was a tool posted to oss-security for this:
https://www.openwall.com/lists/oss-security/2018/08/16/1
Thanks
--
You received this bug notifica
Vital, just scanning version banners is what leads to this problem.
Inspecting the package database would be far more reliable.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
C
@Seth Arnold,
Qualys automated vulnerability scanner is not supposed to do any
penetration testing, including vulnerability exploitation attempts as it
is ran unattended so must not create any risks of DoS. Trying to exploit
some vulnerabilities can jeopardize production systems. This way, such
no
@root (mysky),
You don't need any scripts. Referring to a vendor's documentation
(https://usn.ubuntu.com/3809-1/ in this case) is usually enough.
See also:
https://pci.qualys.com/static/help/merchant/false_positives/submit_false_positive_requests.htm
--
You received this bug notification becaus
@Vital & Seth
Thanks for the clarification, so qualys is the culprit!, such a good security
company providing false reports without actually doing full scan, and now I am
looking for a script to demonstrate this vulnerability fix, any good script?
Will this do..?
https://github.com/nccgro
Root, aha! We've finally uncovered the root of the problem. (Sorry. I
can't help myself. It's Friday afternoon.)
While Qualys' TLS scanner is a top-notch tool that I use regularly,
their "security scanner" is sadly not. They have built a tool that
checks version numbers. This is not ideal, because
@root (mysky),
Qualys is slow to fix their detection algorithm. You just need to provide them
with False Positive report citing the vendor documentation
(https://usn.ubuntu.com/3809-1/).
Faking software version is the last thing someone should do to be PCI DSS
compliant.
--
You received this
@set, That's fine, but scanned Qualys report suggests to install openssh
>7.8 to fix this bug!, not sure where is the issue, PFA for sample
qualys report, do you know how to change the openssh version and hide OS
version without compiling?, any SSHD_options? let me know.
Thanks
** Attachment add
Root, version 1:7.6p1-4ubuntu0.1 included the fix for CVE-2018-15473.
Version 1:7.6p1-4ubuntu0.2 is included in the disc image ubuntu-18.04.2
-server-amd64:
$ sha256sum ubuntu-18.04.2-server-amd64.iso
a2cb36dc010d98ad9253ea5ad5a07fd6b409e3412c48f1860536970b073c98f5
ubuntu-18.04.2-server-amd64.
@Seth, if the update released after November 6th 2018, then why I am
getting 7.6p1 version even when i install with the latest ISO distro
from Feb 10 here ?.
http://cdimage.ubuntu.com/releases/18.04.2/release/ubuntu-18.04.2
-server-amd64.iso
The above ISO is from Feb 2019 and it should be having
root, version 1:7.6p1-4ubuntu0.1 was published to the archive on
November 6th 2018:
https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.1
https://lists.ubuntu.com/archives/bionic-changes/2018-November/017000.html
https://usn.ubuntu.com/3809-1/
A default configuration of Ubuntu 18.04 LTS
@seth, apt-upgrade doesnt update even in 18.04, I had to compile new ver
7.9p1 and replace the sshd bin file..!, don't know why it is still not
pushed to the main repo!.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.lau
root: sudo apt update && sudo apt upgrade
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CVE-2018-15473 - User enumeration vulnerability
To manage notifications about this bug
How to get the fix installed via apt?. any link..?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CVE-2018-15473 - User enumeration vulnerability
To manage notifications about this bu
** Changed in: openssh (Ubuntu Cosmic)
Status: In Progress => Fix Released
** Changed in: openssh (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bu
This bug was fixed in the package openssh - 1:7.6p1-4ubuntu0.1
---
openssh (1:7.6p1-4ubuntu0.1) bionic-security; urgency=medium
[ Ryan Finnie ]
* SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629)
- debian/patches/CVE-2018-15473.patch: delay bailout for inv
This bug was fixed in the package openssh - 1:7.2p2-4ubuntu2.6
---
openssh (1:7.2p2-4ubuntu2.6) xenial-security; urgency=medium
[ Ryan Finnie ]
* SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629)
- debian/patches/CVE-2018-15473.patch: delay bailout for inv
This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2.11
---
openssh (1:6.6p1-2ubuntu2.11) trusty-security; urgency=medium
* SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629)
- debian/patches/CVE-2018-15473.patch: delay bailout for invalid
authe
** Also affects: openssh (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Xenial)
** Changed in: openssh (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CVE-2018-15473 - User enumeration vulnerability
To manage notifications
Hi,
FYI I checked with the Security Team and this CVE seems considered low prio.
But the ubuntu-security-sponsor is subscribed so the will get to consider it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
** Patch added: "lp1794629-artful.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200768/+files/lp1794629-artful.debdiff
** Patch removed:
"bionic-upstream-delay-bailout-for-invalid-authenticating-user.patch"
https://bugs.launchpad.net/ubuntu/+source/o
** Patch added: "lp1794629-trusty.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200766/+files/lp1794629-trusty.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.ne
** Patch added: "lp1794629-bionic.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200767/+files/lp1794629-bionic.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.ne
All debdiffs tested in the wild (except artful).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CVE-2018-15473 - User enumeration vulnerability
To manage notifications about this bug
** Patch added: "lp1794629-xenial.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200765/+files/lp1794629-xenial.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.ne
The attachment "bionic-upstream-delay-bailout-for-invalid-
authenticating-user.patch" seems to be a patch. If it isn't, please
remove the "patch" flag from the attachment, remove the "patch" tag, and
if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openssh (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CV
FYI, Qualys is now considering CVE-2018-15473 a PCI-DSS fail condition
(QID: 38726).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CVE-2018-15473 - User enumeration vulnerability
To
** Patch added:
"bionic-upstream-delay-bailout-for-invalid-authenticating-user.patch"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200217/+files/bionic-upstream-delay-bailout-for-invalid-authenticating-user.patch
--
You received this bug notification because yo
31 matches
Mail list logo
