[3.5] openssh: User enumeration via covert timing channel (CVE-2016-6210)ID: oval:org.secpod.oval:def:1800280 | Date: (C)2018-03-28 (M)2023-12-07 |
Class: PATCH | Family: unix |
When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH algorithm.If real users passwords are hashed using SHA256/SHA512, then sending large passwords will result in shorter response time from the server for non-existing users.
Platform: |
Alpine Linux 3.5 |