CVE-2006-5229 Information
Description
OpenSSH portable 4.1 on SUSE Linux and possibly other platforms and versions and possibly under limited configurations allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones as demonstrated by sshtime. NOTE: as of 20061014 it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
Reference
http://secunia.com/advisories/25979 http://www.osvdb.org/32721 http://www.securityfocus.com/archive/1/448025/100/0/threaded http://www.securityfocus.com/archive/1/448108/100/0/threaded http://www.securityfocus.com/archive/1/448156/100/0/threaded http://www.securityfocus.com/archive/1/448702/100/0/threaded http://www.securityfocus.com/bid/20418 http://www.sybsecurity.com/hack-proventia-1.pdf http://www.vupen.com/english/advisories/2007/2545
Share on: