CVE-2016-6210
CVE-2016-6210
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Produtos afetados
n/a · n/aPoCs públicas encontradas — 12
githubgithub.com/justlce/CVE-2016-6210-Exploit★ 3githubgithub.com/serexp/poc-CVE20166210★ 2githubgithub.com/goomdan/CVE-2016-6210-exploit★ 1githubgithub.com/wabiyagi/CVE-2016-6210★ 1githubgithub.com/Alisha-chaudhary/ssh-enum★ 0githubgithub.com/samh4cks/CVE-2016-6210-OpenSSH-User-Enumeration★ 0githubgithub.com/nicoleman0/CVE-2016-6210-OpenSSHd-7.2p2★ 0githubgithub.com/KiPhuong/cve-2016-6210★ 0exploitdbwww.exploit-db.com/exploits/40136não verificadoexploitdbwww.exploit-db.com/exploits/40113não verificadocve_referencewww.exploit-db.com/exploits/40113/não verificadocve_referencewww.exploit-db.com/exploits/40136/não verificado⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.
Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://access.redhat.com/errata/RHSA-2017:2029https://access.redhat.com/errata/RHSA-2017:2563https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttp://seclists.org/fulldisclosure/2016/Jul/51https://security.gentoo.org/glsa/201612-18https://security.netapp.com/advisory/ntap-20190206-0001/https://www.exploit-db.com/exploits/40113/https://www.exploit-db.com/exploits/40136/https://www.openssh.com/txt/release-7.3http://www.debian.org/security/2016/dsa-3626http://www.securityfocus.com/bid/91812http://www.securitytracker.com/id/1036319