OpenSSH < 4.1.0p2 / 4.2 Timing Attack

Low Nessus Network Monitor Plugin ID 3787


The remote host discloses information regarding the availability of user accounts.


The remote host is running a version of OpenSSH that is vulnerable to a flaw in the way that it handles authentication requests. Specifically, OpenSSH is alleged to vary response time based on the complexity (or availability) of the user password. An account that had no password would elicit a quicker SSH response than an account that had a defined password. An attacker exploiting this flaw would be able to determine local accounts that had passwords. This information would be useful in other more complex attacks.

Note: PVS has solely relied on the banner of the SSH client to perform this check. Any backported patches or workarounds such as recompiling or edited configurations are not observable through the banner.


Upgrade to version 4.2, 4.1.0p2 or higher.

See Also

Plugin Details

Severity: Low

ID: 3787

File Name: 3787.prm

Family: SSH

Published: 2006/10/10

Modified: 2016/11/23

Dependencies: 1997, 3059

Risk Information

Risk Factor: Low


Base Score: 3.3

Temporal Score: 3

Vector: CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:POC/RL:U/RC:ND


Base Score: 4.2

Temporal Score: 3.9


Temporal Vector: CVSS3#E:P/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Reference Information

CVE: CVE-2006-5229

BID: 20418

OSVDB: 32721