CVE-2006-5229
published 2006-10-10CVE-2006-5229: OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine…
PriorityP429low2.6CVSS 2.0
AVNACHAuNCPINAN
EXPLOIT
EPSS
53.96%
98.9th percentile
OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openbsd | openssh | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SSH authentication timing discrepancies: valid usernames produce slower 'Permission denied' responses than invalid ones due to /etc/shadow processing overhead — a timing delta between responses is indicative of user enumeration activity. ↗
- →Invalid usernames are logged by sshd while valid usernames are NOT logged during this timing attack — absence of log entries for certain usernames amid a sweep is a detection signal. ↗
- →The timing vulnerability is specifically triggered by manually-set passwords that increase bcrypt/SHA rounds in /etc/shadow — environments with elevated shadow rounds are at higher risk and should be prioritised for monitoring. ↗
- ·The timing attack is only reliably exploitable under specific configurations — particularly where manually-set passwords with increased /etc/shadow hashing rounds are in use; default configurations may not be vulnerable. ↗
- ·Red Hat was unable to reproduce the flaw and considers it environment-specific; detections tuned for this CVE may produce false positives or miss the issue depending on the target OS and shadow configuration. ↗
- ·The Metasploit module also supports a malformed SSH_MSG_USERAUTH_REQUEST packet method (requiring public key auth to be enabled) as an alternative to the timing attack — both vectors should be considered when writing detections. ↗
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w48g-c65j-5c6p: OpenSSH portable 4
ghsa_unreviewed·2022-05-01
CVE-2006-5229 [LOW] CWE-200 GHSA-w48g-c65j-5c6p: OpenSSH portable 4
OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
Red Hat
CVE-2006-5229: OpenSSH portable 4
vendor_redhat·CVSS 2.6
CVE-2006-5229 [LOW] CVE-2006-5229: OpenSSH portable 4
OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
Statement: Red Hat has been unable to reproduce this flaw and believes that the reporter was experiencing behavior specific to his environment. We will not be releasing update to address this issue.
No detection rules found.
Exploit-DB
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
exploitdb·2007-02-13·CVSS 5.0
CVE-2006-5229 [MEDIUM] Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
---
#!/bin/bash
#
# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $
#
# raptor_sshtime - [Open]SSH remote timing attack exploit
# Copyright (c) 2006 Marco Ivaldi
#
# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately
# sends an error message when a user does not exist, which allows remote
# attackers to determine valid usernames via a timing attack (CVE-2003-0190).
#
# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions,
# and possibly under limited configurations, allows remote attackers to
# determine valid usernames via timing discrepancies in which responses take
# longer for valid usernames than invalid ones, as demonstrated by sshtime.
# NOTE: as of 20061014, it appears
Metasploit
SSH Username Enumeration
metasploit
SSH Username Enumeration
SSH Username Enumeration
This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.
No writeups or analysis indexed.
http://secunia.com/advisories/25979http://www.osvdb.org/32721http://www.securityfocus.com/archive/1/448025/100/0/threadedhttp://www.securityfocus.com/archive/1/448108/100/0/threadedhttp://www.securityfocus.com/archive/1/448156/100/0/threadedhttp://www.securityfocus.com/archive/1/448702/100/0/threadedhttp://www.securityfocus.com/bid/20418http://www.sybsecurity.com/hack-proventia-1.pdfhttp://www.vupen.com/english/advisories/2007/2545http://secunia.com/advisories/25979http://www.osvdb.org/32721http://www.securityfocus.com/archive/1/448025/100/0/threadedhttp://www.securityfocus.com/archive/1/448108/100/0/threadedhttp://www.securityfocus.com/archive/1/448156/100/0/threadedhttp://www.securityfocus.com/archive/1/448702/100/0/threadedhttp://www.securityfocus.com/bid/20418http://www.sybsecurity.com/hack-proventia-1.pdfhttp://www.vupen.com/english/advisories/2007/2545
2006-10-10
Published