CVE-2016-6210 openssh: User enumeration via covert timing channel

CVE ID

CVE-2016-6210

DESCRIPTION

A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses.

RESOLUTION

  • CentOS6 based Unitrends' appliances (physical and/or virtual), fix is in openssh-5.3p1-123.el6_9. This was fixed in Unitrends software release-10.3.8.  Please upgrade to latest release version.
  • CentOS7 based Unitrends' appliances (physical and/or virtual), fix is in openssh-7.4p1-11.el7 and Unitrends' initial release of CentOS7 was with oepnssh-7.4p1-16.el7.

LINK TO ADVISORIES

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section