User enumeration in Dropbear 2018.76 and earlier

Matt Johnston matt at ucc.asn.au
Thu Aug 23 23:50:29 AWST 2018


On Mon 20/8/2018, at 11:55 pm, Matt Johnston <matt at ucc.asn.au> wrote:
> 
> I can confirm Dropbear has the same problem, probably all versions. I should have a patch in the next couple of days.
> 
> This allows someone to remotely know whether a particular username exists or not on a server. In some circumstances that could be a problem, though by itself it doesn't allow exploitation of a server.

This should be fixed by https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 , a CVE number is CVE-2018-15599

Cheers,
Matt



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20180823/6429d161/attachment.htm 


More information about the Dropbear mailing list