CVE-2016-20012
Published: 15 September 2021
** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.
Notes
| Author | Note |
|---|---|
| seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. The upstream OpenSSH developers see this as an important security feature and do not intend to 'fix' it. |
| ccdm94 | Reading through the comments in PR 270, which is now closed and has not been merged, it is possible to see that upstream does not plan on fixing this issue because it would introduce too many possible new problems. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssh Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| focal |
Ignored
|
|
| hirsute |
Ignored
|
|
| impish |
Ignored
|
|
| jammy |
Ignored
|
|
| trusty |
Ignored
|
|
| upstream |
Ignored
(see notes)
|
|
| xenial |
Ignored
|
|
|
openssh-ssh1 Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| focal |
Ignored
|
|
| hirsute |
Ignored
|
|
| impish |
Ignored
|
|
| jammy |
Ignored
|
|
| trusty |
Does not exist
|
|
| upstream |
Ignored
(frozen on openssh 7.5p)
|
|
| xenial |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References
- https://github.com/openssh/openssh-portable/pull/270
- https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265
- https://rushter.com/blog/public-ssh-keys/
- https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak
- https://www.cve.org/CVERecord?id=CVE-2016-20012
- NVD
- Launchpad
- Debian