Wind River Support Network


LIN6-11809 : Security Advisory - openssh - CVE-2016-6210

Created: Sep 26, 2016    Updated: Dec 3, 2018
Resolved Date: Sep 27, 2016
Found In Version: 6.0
Fix Version:
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Userspace


When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded  password  structure  the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB)  will result in shorter response time from the server for non-existing users. This allows remote attacker to enumerate existing users on system logging via SSHD.

Published in:

Other Downloads

Live chat