Timing-based User Enumeration Vulnerability in OpenSSH

Timing-based User Enumeration Vulnerability in OpenSSH

CVE-2016-6210 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:N/A:N

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Learn more about our User Device Pen Test.