Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 589088 (CVE-2016-6210)

Summary: <net-misc/openssh-7.3_p1: User enumeration via covert timing channel
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa glsa blocked cve]
Package list:
Runtime testing required: ---
Bug Depends on: 590202    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-07-18 15:38:11 UTC
From ${URL} :

When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded  
password  structure  the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large 
passwords (10KB)  will result in shorter response time from the server for non-existing users. This allows remote attacker to enumerate existing users on 
system logging via SSHD.

Published in:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:32:53 UTC
This issue was resolved and addressed in
 GLSA 201612-18 at
by GLSA coordinator Aaron Bauman (b-man).