OpenSSH-Portable Existing Password Remote Information Disclosure Weakness

OpenSSH-Portable Existing Password Remote Information Disclosure Weakness

OpenSSH reportedly contains an information-disclosure weakness. This issue resides in the portable version of OpenSSH, which is distributed for operating systems other than its native OpenBSD platform.

This issue has been confirmed as not deriving from either the Pluggable Authentication Module (PAM) issue disclosed in BID 11781 in 2004, nor the more recent Generic Security Services Application Programming Interface (GSSAPI)-based information leak outlined in BID 20245. Reportedly, it is possible to verify access credentials for users with an existing system password by measuring SSH authentication timing differences.

This weakness allows remote users to test for the existence of valid usernames with a password set. Knowledge of system users with established passwords may aid in further attacks.