589088 – (CVE-2016-6210) <net-misc/openssh-7.3_p1: User enumeration via covert timing channel

Bug 589088 (CVE-2016-6210) - <net-misc/openssh-7.3_p1: User enumeration via covert timing channel

Summary: <net-misc/openssh-7.3_p1: User enumeration via covert timing channel

Status:	RESOLVED FIXED

Alias:	CVE-2016-6210

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A4 [glsa glsa blocked cve]
Keywords:

Depends on:	590202
Blocks:
	Show dependency tree

Reported:	2016-07-18 15:38 UTC by Agostino Sarubbo
Modified:	2016-12-07 10:32 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-07-18 15:38:11 UTC

From ${URL} :

When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded  
password  structure  the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large 
passwords (10KB)  will result in shorter response time from the server for non-existing users. This allows remote attacker to enumerate existing users on 
system logging via SSHD.

Published in:

http://seclists.org/fulldisclosure/2016/Jul/51


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2016-12-07 10:32:53 UTC

This issue was resolved and addressed in
 GLSA 201612-18 at https://security.gentoo.org/glsa/201612-18
by GLSA coordinator Aaron Bauman (b-man).