Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. When sshd tries to authenticate a non-existing user, it will pick
up a fixed fake password structure with a hash based on the Blowfish
algorithm. If real users passwords are hashed using SHA256/SHA512, then
a remote attacker can take advantage of this flaw by sending large
passwords, receiving shorter response times from the server for
non-existing users.

For the stable distribution (jessie), this problem has been fixed in
version 1:6.7p1-5+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-6.

We recommend that you upgrade your openssh packages.

CPENameOperatorVersion
openssheq1:6.7p1-5+deb8u2
openssheq1:6.7p1-5+deb8u1
openssheq1:6.7p1-5

Name	Operator	Version
openssh	eq	1:6.7p1-5+deb8u2
openssh	eq	1:6.7p1-5+deb8u1
openssh	eq	1:6.7p1-5

References

www.debian.org/security/2016/dsa-3626

f5 1

nvd 1

openvas 19

nessus 32

centos 2

ibm 22

packetstorm 2

veracode 1

osv 2

redhatcve 1

debiancve 1

cvelist 1

prion 1

fedora 1

cve 1

archlinux 1

debian 3

redhat 2

hackerone 1

zdt 2

exploitpack 2

paloalto 1

oraclelinux 3

ubuntucve 1

alpinelinux 1

exploitdb 2

cloudfoundry 1

freebsd 1

slackware 1

ubuntu 1

symantec 1

checkpoint_advisories 1

aix 1

altlinux 3

mageia 1

gentoo 1

amazon 1

rosalinux 1

ics 1

K14845276 : OpenSSH vulnerability CVE-2016-6210

2016-12-23 00:00:00

nvd

CVE-2016-6210

2017-02-13 17:59:00

openvas

Debian: Security Advisory (DLA-578-1)

2023-03-08 00:00:00

RedHat Update for openssh RHSA-2017:2563-01

2017-09-01 00:00:00

Debian: Security Advisory (DSA-3626-1)

2016-08-02 00:00:00

nessus

EulerOS 2.0 SP1 : openssh (EulerOS-SA-2017-1189)

2017-09-08 00:00:00

Debian DSA-3626-1 : openssh - security update

2016-07-25 00:00:00

Debian DLA-578-1 : openssh security update

2016-08-01 00:00:00

centos

openssh, pam_ssh_agent_auth security update

2017-08-31 18:50:28

openssh, pam_ssh_agent_auth security update

2017-08-24 01:40:16

ibm

Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware.

2019-01-31 02:25:02

Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC5022 16Gb SAN Scalable Switch (CVE-2016-6210)

2019-01-31 02:25:02

Security Bulletin: Vulnerabilities in OpenSSH affect the IBM FlashSystem models 840 and 900

2023-02-18 01:45:50

packetstorm

OpenSSHD 7.2p2 User Enumeration

2016-07-18 00:00:00

OpenSSHD 7.2p2 User Enumeration

2016-07-21 00:00:00

veracode

Information Disclosure

2019-01-15 09:20:13

osv

openssh - security update

2016-07-30 00:00:00

CVE-2016-6210

2017-02-13 17:59:00

redhatcve

CVE-2016-6210

2016-07-18 09:18:22

debiancve

CVE-2016-6210

2017-02-13 17:59:00

cvelist

CVE-2016-6210

2017-02-13 00:00:00

prion

Design/Logic Flaw

2017-02-13 17:59:00

fedora

[SECURITY] Fedora 24 Update: openssh-7.2p2-10.fc24

2016-07-20 17:50:40

cve

CVE-2016-6210

2017-02-13 17:59:00

archlinux

openssh: information leakage

2016-08-02 00:00:00

debian

[SECURITY] [DLA 578-1] openssh security update

2016-07-30 21:40:46

[SECURITY] [DSA 3626-1] openssh security update

2016-07-24 09:19:18

[SECURITY] [DSA 3626-1] openssh security update

2016-07-24 09:19:18

redhat

(RHSA-2017:2563) Moderate: openssh security update

2017-08-31 13:09:34

(RHSA-2017:2029) Moderate: openssh security, bug fix, and enhancement update

2017-08-01 05:57:17

hackerone

Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list

2019-01-08 09:59:42

zdt

OpenSSHd 7.2p2 - Username Enumeration (2)

2016-07-20 00:00:00

OpenSSHd 7.2p2 - Username Enumeration (1)

2016-07-18 00:00:00

exploitpack

OpenSSHd 7.2p2 - Username Enumeration

2016-07-18 00:00:00

OpenSSH 7.2p2 - Username Enumeration

2016-07-20 00:00:00

paloalto

OpenSSH Vulnerability

2016-11-17 17:02:00

oraclelinux

openssh security update

2017-08-31 00:00:00

openssh security update

2023-08-11 00:00:00

openssh security, bug fix, and enhancement update

2017-08-07 00:00:00

ubuntucve

CVE-2016-6210

2016-07-18 00:00:00

alpinelinux

CVE-2016-6210

2017-02-13 17:59:00

exploitdb

OpenSSH 7.2p2 - Username Enumeration

2016-07-20 00:00:00

OpenSSHd 7.2p2 - Username Enumeration

2016-07-18 00:00:00

cloudfoundry

USN-3061-1 OpenSSH vulnerability | Cloud Foundry

2016-08-25 00:00:00

freebsd

openssh -- sshd -- remote valid user discovery and PAM /bin/login attack

2016-08-01 00:00:00

slackware

[slackware-security] openssh

2016-08-06 21:10:35

ubuntu

OpenSSH vulnerabilities

2016-08-15 00:00:00

symantec

SA136 : OpenSSH Vulnerabilities

2016-12-13 08:00:00

checkpoint_advisories

Multiple SSH Initial Connection Requests (CVE-2003-0190; CVE-2006-5229; CVE-2016-6210)

2011-03-29 00:00:00

aix

AIX OpenSSH Vulnerability

2016-09-08 14:36:37

altlinux

Security fix for the ALT Linux 7 package openssh version 6.7p1-alt1.M70P.3

2016-10-20 00:00:00

Security fix for the ALT Linux 6 package openssh version 6.7p1-alt1.M60P.3

2016-10-20 00:00:00

Security fix for the ALT Linux 8 package openssh version 7.2p2-alt2

2016-10-21 00:00:00

mageia

Updated openssh packages fix security vulnerability

2016-08-31 18:32:33

gentoo

OpenSSH: Multiple vulnerabilities

2016-12-07 00:00:00

amazon

Medium: openssh

2017-10-03 11:00:00

rosalinux

Advisory ROSA-SA-2021-1938

2021-07-02 17:38:20

ics

Siemens SCALANCE X-200RNA Switch Devices

2022-12-19 12:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

0.107 Low

EPSS

Percentile

95.1%

JSON

Related for OSV:DSA-3626-1