Summary

Security Advisory ID : BSA-2016-195

Component : OpenSSH

Revision : 2.0: Final

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Affected Products

Brocade Fabric OS. Security update provided in Brocade Fabric OS v8.1.0a , v8.2.0.

Solution

Brocade has provided Security updates for the vulnerability described in this advisory. The patch releases have been posted to the MyBrocade web portal. Brocade strongly recommends that all customers running the impacted version(s) install the patch.

Workaround

Minimizing exposure to these vulnerabilities can also be done by using firewall and ipfilter to limit access to switch CLI interface from trusted hosts only.

Revision History