openbsd openssh CVE-2016-6210 is a vulnerability in OpenBSD OpenSSH
Published on February 13, 2017

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2016-6210 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2016-6210. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2016-6210 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2016-6210

Want to know whenever a new CVE is published for OpenBSD OpenSSH? stack.watch will email you.

OpenBSD OpenSSH
 

Exploit Probability

EPSS
90.05%
Percentile
99.60%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.