000037936 - RSA NetWitness suite OpenSSH username enumeration vulnerability

Document created by RSA Customer Support Employee on Sep 27, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037936
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition:, 11.3.x
IssueVulnerability ID: Q38726
Required CVSS Base Score: 5
Required CVE ID: CVE-2018-15473
Required CVE Link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473
Required Vulnerability Name: OpenSSH Username Enumeration Vulnerability
Required Vulnerability Description: OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. A username enumeration vulnerability exists in OpenSSH, that a remote attacker could leverage to enumerate valid users on a targeted system. The attacker could try to enumerate users by transmitting malicious packets. Due to the vulnerability, if a username does not exist, then the server sends a SSH2_MSG_USERAUTH_FAILURE message to the attacker. If the username exists, then the server sends a SSH2_MSG_SERVICE_ACCEPT before calling fatal() and closes the connection.

Mitigation from Redhat for CVE-2018-15473 is as below :

Configuring your firewall to limit the origin and/or rate of incoming ssh connections  will limit the impact of this attack, as it requires a new TCP connection for each username tested. This configuration also provides some protection against brute-force attacks on SSH passwords or keys.

Below is the firewall rule to block an SSH brute force attack. It limits the number of connections by rate-limiting requests to SSH.

Implementation Steps : 

Step 1: SSH to the service 

Step 2: Run below command to insert iptables rules. This rule will block an IP if it attempts more than 4 connections per minute to SSH. 

Here the "--hitcount 4" and "--seconds" which is 60 can be configured as per requirement.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Step 3: Save the iptables rule by running below command 

service iptables save

Step 4: Restart iptables service by running below command 

service iptables restart