cbcvebase.
CVE-2006-5229
published 2006-10-10

CVE-2006-5229: OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine…

PriorityP429low2.6CVSS 2.0
AVNACHAuNCPINAN
EXPLOIT
EPSS
53.96%
98.9th percentile
OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.

Affected

1 ranges
VendorProductVersion rangeFixed in
openbsdopenssh

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor SSH authentication timing discrepancies: valid usernames produce slower 'Permission denied' responses than invalid ones due to /etc/shadow processing overhead — a timing delta between responses is indicative of user enumeration activity.
  • Invalid usernames are logged by sshd while valid usernames are NOT logged during this timing attack — absence of log entries for certain usernames amid a sweep is a detection signal.
  • The timing vulnerability is specifically triggered by manually-set passwords that increase bcrypt/SHA rounds in /etc/shadow — environments with elevated shadow rounds are at higher risk and should be prioritised for monitoring.
  • ·The timing attack is only reliably exploitable under specific configurations — particularly where manually-set passwords with increased /etc/shadow hashing rounds are in use; default configurations may not be vulnerable.
  • ·Red Hat was unable to reproduce the flaw and considers it environment-specific; detections tuned for this CVE may produce false positives or miss the issue depending on the target OS and shadow configuration.
  • ·The Metasploit module also supports a malformed SSH_MSG_USERAUTH_REQUEST packet method (requiring public key auth to be enabled) as an alternative to the timing attack — both vectors should be considered when writing detections.

CVSS provenance

nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.