Page 1 of 1

SSH username enumeration bug CVE-2018-15473

Posted: Thu Aug 23, 2018 2:46 am
by ektus
Hi there,


is Gargoyle vulnerable, and if so, will there be patched versions available?

https://www.bleepingcomputer.com/news/s ... o-decades/

Regards
Ektus.

Re: SSH username enumeration bug CVE-2018-15473

Posted: Thu Aug 23, 2018 4:41 am
by Lantis
Gargoyle uses dropbear by default rather than OpenSSH.
so, no.

If users have replaced dropbear themselves, they may be vulnerable.
Anyone exposing the SSH port to the WAN is also doing themselves a disservice.

By default, SSH is not allowed from WAN.

Re: SSH username enumeration bug CVE-2018-15473

Posted: Thu Aug 23, 2018 6:23 am
by Lantis
Addendum to my last post.
Yes gargoyle is likely affected by a different (but related) CVE
https://security-tracker.debian.org/tra ... 2018-15599
which DOES affect Dropbear.

It will be patched before 1.11.0. Backporting security fixes for 1.10.x is not likely in my opinion.