CVE-2016-20012

2021-09-1500:00:00

ubuntu.com

openssh

remote attackers

username

public key

vulnerability

user enumeration

security feature

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.021

Percentile

89.4%

JSON

DISPUTED OpenSSH through 8.7 allows remote attackers, who have a
suspicion that a certain combination of username and public key is known to
an SSH server, to test whether this suspicion is correct. This occurs
because a challenge is sent only when that combination could be valid for a
login session. NOTE: the vendor does not recognize user enumeration as a
vulnerability for this product.

Notes

Author	Note
seth-arnold	openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. The upstream OpenSSH developers see this as an important security feature and do not intend to ‘fix’ it.
ccdm94	Reading through the comments in PR 270, which is now closed and has not been merged, it is possible to see that upstream does not plan on fixing this issue because it would introduce too many possible new problems.