Call for testing: OpenSSH 7.3
coredump at autistici.org
Fri Jul 22 19:05:09 AEST 2016
Hi, I have tested the mitigation timing differences in password
authentication (CVE-2016-6210). I have compiled
openssh-SNAP-20160722.tar.gz in a Debian 8 and use my tool Osueta
(https://github.com/c0r3dump3d/osueta) against the system.
Ok, I have seen that you calculate all the password hash exist or not
exist the user, and with this you can not discriminate the presence or
absence of that user, but now it's more easy to establish the DOS
condition in the access to the Openssh server and exhausting the CPU
resources, any dummy user it can be used!
osueta -H 192.168.100.204 -U asdf -v no -d 15 -p 22 --dos yes -t 40
Users found Time delay in seconds
I have attached screenshots with the CPU resource exhaustion and the DOS
in the access to the Openssh server.
The test machine it's a Debian 8 VM in KVM with 4 Core and 2GB of RAM.
For CVE-2016-6210 user enumeration really it's mitigate but for the
problem of DOS as I say seems much easier to exploit!!
El 22/07/16 a las 06:40, Damien Miller escribió:
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev