Wind River Support Network

HomeDefectsLIN8-4801
Fixed

LIN8-4801 : Security Advisory - openssh - CVE-2016-6210

Created: Sep 26, 2016    Updated: Dec 3, 2018
Resolved Date: Sep 27, 2016
Found In Version: 8.0
Fix Version: 8.0.0.11
Severity: Standard
Applicable for: Wind River Linux 8
Component/s: Userspace

Description

When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded  password  structure  the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB)  will result in shorter response time from the server for non-existing users. This allows remote attacker to enumerate existing users on system logging via SSHD.

Published in:

http://seclists.org/fulldisclosure/2016/Jul/51

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210

Other Downloads


CVEs


Live chat
Online