Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

OpenSSH < 4.1.0p2 / 4.2 Timing Attack



The remote host discloses information regarding the availability of user accounts.


The remote host is running a version of OpenSSH that is vulnerable to a flaw in the way that it handles authentication requests. Specifically, OpenSSH is alleged to vary response time based on the complexity (or availability) of the user password. An account that had no password would elicit a quicker SSH response than an account that had a defined password. An attacker exploiting this flaw would be able to determine local accounts that had passwords. This information would be useful in other more complex attacks.

Note: PVS has solely relied on the banner of the SSH client to perform this check. Any backported patches or workarounds such as recompiling or edited configurations are not observable through the banner.


Upgrade to version 4.2, 4.1.0p2 or higher.