Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades

Discussion in 'privacy technology' started by mood, Aug 22, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,333
    Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades
    August 22, 2018
    https://www.bleepingcomputer.com/ne...sh-versions-released-in-the-past-two-decades/
     
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,325
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,527
    This is a little bit FUD. If you use key-based authentication, knowing usernames is not a problem. I mean, I only use root and user as login accounts. It's true that enumerating app-specific usernames is helpful in planning exploits. But depending on obscurity for app security is pretty weak. And I mean, it's pretty obvious if you're running Apache, PHP and MySQL. Or whatever. Also, it's never prudent to expose sensitive servers to the Internet.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,333
    Similar bug:
    OpenSSH Versions Since 2011 Vulnerable to Oracle Attack
    August 29, 2018
    https://www.bleepingcomputer.com/ne...sions-since-2011-vulnerable-to-oracle-attack/
     
  5. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    618
    I agree. It really does not matter if some sunday script kiddie manages to figure out your username if you use public key authentication. They would still need to hack into your computer to steal the keyfile and crack it's password.

    And if someone can do that then you have bigger problem than this openssh bug....
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.