SSH username enumeration bug CVE-2018-15473

Discuss the technical details of Gargoyle and ongoing development

Moderator: Moderators

ektus
Posts: 168
Joined: Sun Aug 11, 2013 2:26 am
Location: Germany

SSH username enumeration bug CVE-2018-15473

Postby ektus » Thu Aug 23, 2018 2:46 am

Hi there,


is Gargoyle vulnerable, and if so, will there be patched versions available?

https://www.bleepingcomputer.com/news/s ... o-decades/

Regards
Ektus.

Lantis
Moderator
Posts: 5212
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: SSH username enumeration bug CVE-2018-15473

Postby Lantis » Thu Aug 23, 2018 4:41 am

Gargoyle uses dropbear by default rather than OpenSSH.
so, no.

If users have replaced dropbear themselves, they may be vulnerable.
Anyone exposing the SSH port to the WAN is also doing themselves a disservice.

By default, SSH is not allowed from WAN.
Routers: Various ar71xx/mvebu/x86-64
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases

Lantis
Moderator
Posts: 5212
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: SSH username enumeration bug CVE-2018-15473

Postby Lantis » Thu Aug 23, 2018 6:23 am

Addendum to my last post.
Yes gargoyle is likely affected by a different (but related) CVE
https://security-tracker.debian.org/tra ... 2018-15599
which DOES affect Dropbear.

It will be patched before 1.11.0. Backporting security fixes for 1.10.x is not likely in my opinion.
Routers: Various ar71xx/mvebu/x86-64
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases


Return to “Gargoyle Development”

Who is online

Users browsing this forum: No registered users and 2 guests