A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.
The security bug received a patch this week, but since the OpenSSH client is embedded in a multitude of software applications and hardware devices, it will take months, if not years, for the fix to trickle down to all affected systems.
Username enumeration bug discovered in OpenSSH
This particular bug was
discovered last week by security researchers from Qualys who spotted a
commit in OpenBSD's OpenSSH source code.
After analyzing the commit, researchers realized that the code inadvertently fixed a security bug lying dormant in the OpenSSH client since its creation.
This bug allows a remote attacker to guess the usernames registered on an OpenSSH server. Since OpenSSH is used with a bunch of technologies ranging from cloud hosting servers to mandate IoT equipment, billions of devices are affected.
As researchers explain, the attack scenario relies on an attacker trying to authenticate on an OpenSSH endpoint via a malformed authentication request (for example, via a truncated packet).
A vulnerable OpenSSH server would react in two very different ways when this happens. If the username included in the malformed authentication request does not exist, the server responds with authentication failure reply. If the user does exist, the server closes the connection without a reply.