01 · The Real Story
This is a peephole in the front door, not a broken lock
Tenable plugin 159490 maps to CVE-2018-15473, an OpenSSH username enumeration bug. On OpenSSH versions through 7.7 upstream, a malformed authentication packet can trigger different server behavior for valid versus invalid usernames, letting an unauthenticated remote attacker test whether an account exists. Upstream fixed it in OpenSSH 7.8 on 2018-08-24, and major distros also backported the fix to older package branches.
The vendor's MEDIUM label is defensible on paper but too generous for enterprise patch triage. This bug does not grant authentication bypass, code execution, file access, or denial of service; it only improves attacker recon. In real environments, valid usernames are often guessable from email formats, directory naming, VPN portals, or prior phishing data, so the incremental value of this leak is usually modest.
"Internet-reachable but low-consequence: this leaks usernames, not shells"
02 · The Attack Path
3 steps from start to impact.
STEP 01
Reach an exposed sshd listener
The attacker first needs TCP reachability to an OpenSSH server, typically on port 22. This is fully unauthenticated and works against the banner-detected versions Tenable flags, but only if the service is actually reachable from the attacker's network position.
Conditions required:
- Target host is running OpenSSH with the vulnerable code path
- Port 22/TCP is reachable from the attacker
- Version-based finding is not already remediated by a distro backport
Where this breaks in practice:
- Many enterprise SSH services are limited to VPN, bastions, jump hosts, or admin subnets
- Banner-based scanner hits overstate risk when Ubuntu/Debian/RHEL have backported fixes without changing the upstream-looking major version
Detection/coverage: Internet exposure is easy to inventory with external ASM and internal port scans. Tenable itself notes this plugin relies on the application's self-reported version, so package-level verification is mandatory.
STEP 02
Send malformed auth probes with ssh_username_enum.py / EDB-45233
Public PoCs such as
ssh_username_enum.py, Exploit-DB 45233/45939, or GitHub variants send malformed public-key auth requests and compare the server response. Valid users cause a different code path than invalid ones, which is enough to build a username list without credentials.Conditions required:
- Attacker can establish repeated SSH sessions
- Target still behaves differently for valid versus invalid users
- Rate-limiting or tarpitting does not fully suppress signal quality
Where this breaks in practice:
- This yields only a user-existence oracle, not an auth bypass
- Connection throttling, fail2ban-style controls, and noisy auth logging make large sweeps expensive
- Some deployments disable password auth entirely, reducing the operational value of enumerated usernames
Detection/coverage: Auth logs can show bursts of failed or malformed pre-auth attempts from a single source. NIDS coverage is mixed because the traffic is valid SSH framing until the malformed auth packet.
STEP 03
Turn usernames into a second-stage intrusion attempt
The only practical impact is downstream: the attacker uses the valid-account list for password spraying, MFA-prompt fatigue elsewhere, or more credible phishing. The vulnerability itself stops here; any real compromise requires a separate weakness such as weak passwords, reused credentials, or another exposed service.
Conditions required:
- Password authentication is enabled somewhere in the estate, or usernames are valuable for identity attacks
- The same naming convention is reused across VPN, O365, LDAP, SSO, or privileged access systems
- Another control fails later in the chain
Where this breaks in practice:
- Modern fleets often use SSH keys, MFA-gated bastions, or IdP-backed admin access
- Usernames are frequently derivable from corporate email addresses or public staff data anyway
- Every real-impact step after enumeration depends on separate, independent weaknesses
Detection/coverage: Password spray and follow-on credential attacks are usually caught by IdP telemetry, MFA analytics, EDR, or PAM/SSO monitoring rather than by SSH-specific detection.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | I found no evidence this CVE is in CISA KEV, and no authoritative source here shows active exploitation campaigns tied specifically to CVE-2018-15473. |
|---|---|
| Public exploit / PoC | Yes. Tenable marks Exploit Available: true, and MITRE/OpenCVE references Exploit-DB 45233 and 45939 plus multiple GitHub PoCs. |
| EPSS | CIRCL's Vulnerability-Lookup page shows EPSS 0.90356 with percentile 0.99618 (snapshot dated 2026-05-31). That's a useful signal for *attempt likelihood*, but here it overstates operational impact because the bug only leaks usernames. |
| KEV status | Not listed in the CISA Known Exploited Vulnerabilities Catalog as checked during this reassessment. |
| CVSS interpretation | Vendor/NVD-style scoring lands around 5.3 MEDIUM with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N: network reachable, no auth required, but only low confidentiality impact and no integrity/availability loss. |
| Affected versions | Upstream OpenSSH through 7.7 is affected. OpenSSH 7.8 release notes explicitly say sshd was changed to avoid observable parsing differences that reveal whether a target user is valid. |
| Fixed versions / distro backports | Upstream fix is 7.8. Ubuntu backports include 18.04: 1:7.6p1-4ubuntu0.1, 16.04: 1:7.2p2-4ubuntu2.6, 14.04: 1:6.6p1-2ubuntu2.11. Debian fixed stretch in 1:7.4p1-10+deb9u4. |
| Scanner fidelity | Tenable states this plugin did not test the issue directly and instead relied on the application's self-reported version. That means false positives are common on backported distro packages. |
| Scanning / exposure reality | Exposure is broad *in principle*: SSH on port 22 is trivially indexed by platforms like Shodan and Censys. I am making an inference here from their public docs rather than claiming a current vulnerable-host count, because no authoritative count was retrieved. |
| Disclosure / reporter | Qualys publicly disclosed the issue on 2018-08-15 via Openwall; Ubuntu lists CVE publication on 2018-08-17. The upstream fix commit credits Dariusz Tytko and Michał Sajdak. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (3.2/10)
The decisive factor is that this flaw is recon-only: it leaks whether usernames exist, but it does not authenticate the attacker or execute code. In enterprise reality, that makes it a weak amplifier for later credential attacks, not a stand-alone intrusion path.
HIGH Technical impact is limited to username enumeration
HIGH Vendor plugin is version-based and prone to backport false positives
MEDIUM Exposure prevalence across your estate depends on how widely SSH is internet-reachable
Why this verdict
- Recon-only outcome: the bug discloses valid usernames and stops there; there is no auth bypass, RCE, file read, or service kill.
- Attack-chain friction: real harm requires separate follow-on weaknesses such as password auth exposure, weak credentials, or identity controls failing later.
- Reachability narrows the population: only SSH services reachable from the attacker matter, and many enterprise SSH endpoints sit behind VPN, bastions, or admin network controls.
- Backport noise lowers urgency: Tenable explicitly relies on banner versioning, so many Linux distributions may already be patched while still appearing
< 7.8.
Why not higher?
If this were a pre-auth code execution or auth bypass on internet-facing SSH, it would be a different conversation. But enumeration alone is a support function for other attacks, and the blast radius is bounded by how much value a valid username list adds in your environment.
Why not lower?
It is still unauthenticated and network reachable, and exposed SSH is common enough that attackers can cheaply probe it. For orgs with password-auth remnants, predictable usernames, or externally reachable admin planes, the finding has some real operational value to adversaries.
05 · Compensating Control
What to do — in priority order.
- Restrict SSH exposure — Move administrative SSH behind VPN, bastions, or source-IP allowlists. For a LOW finding there is no SLA; treat this as backlog hygiene, but it is the cleanest way to erase the attack surface entirely.
- Disable password authentication where possible — Force key-based auth or certificate-based access so enumerated usernames cannot be turned directly into password-spray opportunities. For LOW, fold this into your normal hardening cycle rather than a break-fix push.
- Throttle and alert on SSH auth bursts — Use
MaxStartups, fail2ban, PAM rate controls, or perimeter controls to make username harvesting and follow-on spraying noisy and expensive. No formal mitigation deadline applies here, but this is a worthwhile control improvement during routine platform maintenance. - Validate package backports before opening change tickets — Check distro package metadata, not just the SSH banner, because Ubuntu/Debian often ship fixed builds on older upstream-looking versions. This prevents wasting patch windows on already-remediated hosts.
What doesn't work
- A WAF does nothing here because this is SSH, not HTTP.
- MFA on other services helps later identity abuse, but it does not stop the initial username-oracle behavior against
sshd. - Changing the SSH port is not a fix; it may reduce casual scanning, but any reachable listener still leaks usernames if vulnerable.
06 · Verification
Crowdsourced verification payload.
Run this on the target Linux host with local shell access. Invoke it as bash check_cve_2018_15473.sh; no root is required for package checks, but root may be needed on some systems to read service binaries or package metadata consistently. The script prefers distro package status over the raw SSH banner and prints VULNERABLE, PATCHED, or UNKNOWN.
#!/usr/bin/env bash
# check_cve_2018_15473.sh
# Determine likely exposure to CVE-2018-15473 (OpenSSH username enumeration)
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
say() { printf '%s\n' "$*"; }
unknown() { say "UNKNOWN: $*"; exit 2; }
patched() { say "PATCHED: $*"; exit 0; }
vuln() { say "VULNERABLE: $*"; exit 1; }
have() { command -v "$1" >/dev/null 2>&1; }
get_ssh_banner() {
local out
out="$(ssh -V 2>&1 || true)"
if [ -n "$out" ]; then
printf '%s' "$out"
return 0
fi
return 1
}
# Compare Debian package versions if dpkg is present
check_dpkg() {
local pkg ver id ver_id
have dpkg-query || return 1
pkg="openssh-server"
if ! dpkg-query -W -f='${Status} ${Version}\n' "$pkg" >/tmp/cve15473_dpkg.$$ 2>/dev/null; then
return 1
fi
read -r _ _ _ ver < /tmp/cve15473_dpkg.$$ || true
rm -f /tmp/cve15473_dpkg.$$
[ -n "${ver:-}" ] || unknown "Could not read dpkg version for $pkg"
id=""
ver_id=""
if [ -r /etc/os-release ]; then
. /etc/os-release
id="${ID:-}"
ver_id="${VERSION_ID:-}"
fi
case "$id:$ver_id" in
ubuntu:18.04)
dpkg --compare-versions "$ver" ge "1:7.6p1-4ubuntu0.1" && patched "$pkg $ver on Ubuntu 18.04 meets fixed backport floor" || vuln "$pkg $ver on Ubuntu 18.04 is below fixed backport floor 1:7.6p1-4ubuntu0.1"
;;
ubuntu:16.04)
dpkg --compare-versions "$ver" ge "1:7.2p2-4ubuntu2.6" && patched "$pkg $ver on Ubuntu 16.04 meets fixed backport floor" || vuln "$pkg $ver on Ubuntu 16.04 is below fixed backport floor 1:7.2p2-4ubuntu2.6"
;;
ubuntu:14.04)
dpkg --compare-versions "$ver" ge "1:6.6p1-2ubuntu2.11" && patched "$pkg $ver on Ubuntu 14.04 meets fixed backport floor" || vuln "$pkg $ver on Ubuntu 14.04 is below fixed backport floor 1:6.6p1-2ubuntu2.11"
;;
debian:9)
dpkg --compare-versions "$ver" ge "1:7.4p1-10+deb9u4" && patched "$pkg $ver on Debian 9 meets fixed backport floor" || vuln "$pkg $ver on Debian 9 is below fixed backport floor 1:7.4p1-10+deb9u4"
;;
debian:11)
dpkg --compare-versions "$ver" ge "1:8.4p1-5+deb11u3" && patched "$pkg $ver on Debian 11 meets tracker fixed floor" || vuln "$pkg $ver on Debian 11 is below tracker fixed floor 1:8.4p1-5+deb11u3"
;;
ubuntu:*|debian:*)
unknown "$pkg $ver installed on $id $ver_id; distro present but not mapped in this lightweight checker. Validate against vendor security tracker."
;;
*)
return 1
;;
esac
}
# Fallback: inspect SSH client banner only; may be wrong for server and wrong with backports
check_banner_fallback() {
local banner base
banner="$(get_ssh_banner || true)"
[ -n "$banner" ] || unknown "No package metadata and no ssh banner available"
case "$banner" in
*OpenSSH_7.8*|*OpenSSH_7.9*|*OpenSSH_8.*|*OpenSSH_9.*)
patched "Banner suggests $banner (upstream 7.8+), but confirm server package on distro-managed hosts"
;;
*OpenSSH_7.7*|*OpenSSH_7.6*|*OpenSSH_7.5*|*OpenSSH_7.4*|*OpenSSH_7.3*|*OpenSSH_7.2*|*OpenSSH_7.1*|*OpenSSH_7.0*|*OpenSSH_6.*|*OpenSSH_5.*|*OpenSSH_4.*|*OpenSSH_3.*|*OpenSSH_2.*)
unknown "Banner suggests potentially affected upstream version ($banner), but distro backports can make this a false positive"
;;
*)
unknown "Unrecognized SSH banner: $banner"
;;
esac
}
check_dpkg || check_banner_fallback
unknown "Unable to determine patch state"07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, do not treat Tenable
159490 like an emergency patch train. First, separate truly exposed SSH servers from internal-only admin endpoints, then suppress hosts where Ubuntu/Debian backports already fixed CVE-2018-15473 despite an old-looking banner. Because this is LOW, there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene and roll fixes during normal OS maintenance rather than burning an out-of-band window.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.