SSH username enumeration bug CVE-2018-15473

Discuss the technical details of Gargoyle and ongoing development

Moderator: Moderators

Post Reply
ektus
Posts: 241
Joined: Sun Aug 11, 2013 2:26 am
Location: Germany

SSH username enumeration bug CVE-2018-15473

Post by ektus »

Hi there,


is Gargoyle vulnerable, and if so, will there be patched versions available?

https://www.bleepingcomputer.com/news/s ... o-decades/

Regards
Ektus.

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: SSH username enumeration bug CVE-2018-15473

Post by Lantis »

Gargoyle uses dropbear by default rather than OpenSSH.
so, no.

If users have replaced dropbear themselves, they may be vulnerable.
Anyone exposing the SSH port to the WAN is also doing themselves a disservice.

By default, SSH is not allowed from WAN.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: SSH username enumeration bug CVE-2018-15473

Post by Lantis »

Addendum to my last post.
Yes gargoyle is likely affected by a different (but related) CVE
https://security-tracker.debian.org/tra ... 2018-15599
which DOES affect Dropbear.

It will be patched before 1.11.0. Backporting security fixes for 1.10.x is not likely in my opinion.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply