Bugzilla – Bug 989363
VUL-0: CVE-2016-6210: openssh: User enumeration via covert timing channel
Last modified: 2020-06-08 23:22:47 UTC
http://seclists.org/fulldisclosure/2016/Jul/51 -------------------------------------------------------------------- User Enumeration using Open SSHD (<=Latest version). ------------------------------------------------------------------- Abstract: ----------- By sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most modern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash. CVE-ID --------- CVE-2016-6210 Tested versions -------------------- This issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well). Fix ----------------- This issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet). (thanks to 'dtucker () zip com au' for his quick reply and fix suggestion). Details ---------------- When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter response time from the server for non-existing users. Sample code: ---------------- import paramiko import time user=raw_input("user: ") p='A'*25000 ssh = paramiko.SSHClient() starttime=time.clock() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect('127.0.0.1', username=user, password=p) except: endtime=time.clock() total=endtime-starttime print(total) (Valid users will result in higher total time). *** please note that if SSHD configuration prohibits root login , then root is not considered as valid user... *** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP packets of the server, since this will eliminate any network delays on the way. References: https://bugzilla.redhat.com/show_bug.cgi?id=1357442 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6210 https://github.com/openssh/openssh-portable/commit/9286875a73b2de7736b5e50692739d314cd8d9dc https://github.com/openssh/openssh-portable/commit/283b97ff33ea2c641161950849931bd578de6946
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-08-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62899
bugbot adjusting priority
SUSE-SU-2016:2280-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 948902,981654,989363,992533 CVE References: CVE-2016-6210,CVE-2016-6515 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): openssh-6.6p1-52.1, openssh-askpass-gnome-6.6p1-52.1 SUSE Linux Enterprise Server 12-SP1 (src): openssh-6.6p1-52.1, openssh-askpass-gnome-6.6p1-52.1 SUSE Linux Enterprise Server 12-LTSS (src): openssh-6.6p1-52.1, openssh-askpass-gnome-6.6p1-52.1 SUSE Linux Enterprise Desktop 12-SP1 (src): openssh-6.6p1-52.1, openssh-askpass-gnome-6.6p1-52.1
SUSE-SU-2016:2281-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 948902,981654,989363,992533 CVE References: CVE-2016-6210,CVE-2016-6515 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openssh-6.6p1-28.1, openssh-askpass-gnome-6.6p1-28.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssh-6.6p1-28.1, openssh-askpass-gnome-6.6p1-28.2
openSUSE-SU-2016:2339-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 948902,981654,989363,992533 CVE References: CVE-2016-6210,CVE-2016-6515 Sources used: openSUSE Leap 42.1 (src): openssh-6.6p1-14.1, openssh-askpass-gnome-6.6p1-14.1
SUSE-SU-2016:2388-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 932483,948902,959096,962313,962794,970632,975865,981654,989363,992533 CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115,CVE-2016-6210,CVE-2016-6515 Sources used: SUSE OpenStack Cloud 5 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Manager Proxy 2.1 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Manager 2.1 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Linux Enterprise Server 11-SP3-LTSS (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Linux Enterprise Point of Sale 11-SP3 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssh-6.2p2-0.33.2, openssh-askpass-gnome-6.2p2-0.33.5
This is an autogenerated message for OBS integration: This bug (989363) was mentioned in https://build.opensuse.org/request/show/433780 Factory / openssh
SUSE-SU-2016:2555-1: An update that solves 5 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 729190,932483,948902,960414,961368,961494,962313,965576,970632,975865,981654,989363,992533 CVE References: CVE-2015-8325,CVE-2016-1908,CVE-2016-3115,CVE-2016-6210,CVE-2016-6515 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openssh-openssl1-6.6p1-15.1
released