POC and patch for the CVE-2018-15473
Cameron, Frank J
cameron at ctc.com
Wed Apr 24 13:49:26 UTC 2019
Brahmanand Reddy wrote:
> CVE-2018-15473 is a "user existence oracle bug which does not meet our
> criteria for security advisories".
>
> You mean this vulnerability which will impact/affects only for Oracle
> base? kindly confirm.
"Oracle" in the ancient Greek sense of a person through whom a deity
speaks and/or reveals hidden knowledge[1].
Quoting Damien Miller[2]:
"I and the other OpenSSH developers don't consider this class of bug a
significant vulnerability... this isn't "user enumeration" because it
doesn't yield the ability to enumerate or list accounts. It's an oracle;
allowing an attacker to make brute-force guesses of account names and
verify whether they exist on the target system."
[1] https://www.merriam-webster.com/dictionary/oracle
[2] https://www.openwall.com/lists/oss-security/2018/08/24/1
-----------------------------------------------------------------
This message and any files transmitted within are intended
solely for the addressee or its representative and may contain
company proprietary information. If you are not the intended
recipient, notify the sender immediately and delete this
message. Publication, reproduction, forwarding, or content
disclosure is prohibited without the consent of the original
sender and may be unlawful.
Concurrent Technologies Corporation and its Affiliates.
www.ctc.com 1-800-282-4392
-----------------------------------------------------------------
More information about the freebsd-security
mailing list