[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-3626-1 openssh -- openssh

ID: oval:org.secpod.oval:def:602566Date: (C)2016-07-26   (M)2023-12-20
Class: PATCHFamily: unix




Eddie Harari reported that the OpenSSH SSH daemon allows user enumeration through timing differences when trying to authenticate users. When sshd tries to authenticate a non-existing user, it will pick up a fixed fake password structure with a hash based on the Blowfish algorithm. If real users passwords are hashed using SHA256/SHA512, then a remote attacker can take advantage of this flaw by sending large passwords, receiving shorter response times from the server for non-existing users.

Platform:
Debian 8.x
Product:
openssh-server
openssh-client
Reference:
DSA-3626-1
CVE-2016-6210
CVE    1
CVE-2016-6210
CPE    3
cpe:/a:openbsd:openssh-server
cpe:/o:debian:debian_linux:8.x
cpe:/a:openbsd:openssh-client

© SecPod Technologies