Main Vulnerability Database Vulnerabilities #VU253

Sensitive timing information disclosure in OpenSSH - #VU253

Published: August 2, 2016 / Updated: August 22, 2016

Vulnerability identifier: #VU253

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenSSH

Affected software:
OpenSSH

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain potentially sensitive timing information.

The vulnerability exists in OpenSSH. A remote attacker may be able to observe timing differences in the ssh(1) and sshd(8) CBC padding oracle countermeasures.

Successful exploitation of this vulnerability may result in disclosure of system information.

Remediation

Install the latest version of OpenSSH 7.3.

Sources

http://www.openssh.com/txt/release-7.3

Sensitive timing information disclosure in OpenSSH - #VU253

Detailed vulnerability description

Remediation

Sources

Please verify you're human