Eddie Harari reported that the OpenSSH SSH daemon allows user enumeration through timing differences when trying to authenticate users. When sshd tries to authenticate a non-existing user, it will pick up a fixed fake password structure with a hash based on the Blowfish algorithm. If real users passwords are hashed using SHA256/SHA512, then a remote attacker can take advantage of this flaw by sending large passwords, receiving shorter response times from the server for non-existing users. For the stable distribution (jessie), this problem has been fixed in version 1:6.7p1-5+deb8u3. For the unstable distribution (sid), this problem has been fixed in version 1:7.2p2-6. We recommend that you upgrade your openssh packages.
Eddie Harari reported that the OpenSSH SSH daemon allows user enumeration through timing differences when trying to authenticate users. When sshd tries to authenticate a non-existing user, it will pick up a fixed fake password structure with a hash based on the Blowfish algorithm. If real users passwords are hashed using SHA256/SHA512, then a remote attacker can take advantage of this flaw by sending large passwords, receiving shorter response times from the server for non-existing users.
For the stable distribution (jessie), this problem has been fixed in version 1:6.7p1-5+deb8u3.
For the unstable distribution (sid), this problem has been fixed in version 1:7.2p2-6.
We recommend that you upgrade your openssh packages.
Vulmon