Skip to content

Home Early Warning System Issues Microsoft Windows OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
Tuesday, 19 July 2016 11:19

A vulnerability was reported in OpenSSH. A remote user can send a specially crafted request with a large password (approximately 10,000 characters) to the target ssh daemon to determine valid usernames on the target system. On systems where a valid user's password has been hashed with SHA256/SHA512, the response time will be shorter for a non-existent username than for a valid username.No solution was available at the time of this entry.

 
[YOUR IP: 18.234.247.75: 46546] ...   [YOUR BROWSER: CCBot/2.0 (https://commoncrawl.org/faq/)] ...