Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2016-6210

Опубликовано: 13 фев. 2017
Источник: debian
EPSS Критический

Описание

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
opensshfixed1:7.2p2-6package

Примечания

  • http://seclists.org/fulldisclosure/2016/Jul/51

  • https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc

  • https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946

  • Suggested to cherry-pick as well: https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc

  • otherwise the mitigiation isn't very effective for systems with a locked root account.

EPSS

Процентиль: 100%
0.92487
Критический

Связанные уязвимости

ubuntu логотип

CVE-2016-6210

CVSS3: 5.9
ubuntu
больше 8 лет назад

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

redhat логотип

CVE-2016-6210

CVSS3: 5.3
redhat
почти 9 лет назад

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

nvd логотип

CVE-2016-6210

CVSS3: 5.9
nvd
больше 8 лет назад

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

github логотип

GHSA-f525-65h3-3qjh

CVSS3: 5.9
github
около 3 лет назад

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

oracle-oval логотип

ELSA-2017-2563

oracle-oval
почти 8 лет назад

ELSA-2017-2563: openssh security update (MODERATE)

EPSS

Процентиль: 100%
0.92487
Критический