CVE-2016-20012

Publication date 15 September 2021

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openssh	22.04 LTS jammy	Ignored
	21.10 impish	Ignored
	21.04 hirsute	Ignored
	20.04 LTS focal	Ignored
	18.04 LTS bionic	Ignored
	16.04 LTS xenial	Ignored
	14.04 LTS trusty	Ignored
openssh-ssh1	22.04 LTS jammy	Ignored
	21.10 impish	Ignored
	21.04 hirsute	Ignored
	20.04 LTS focal	Ignored
	18.04 LTS bionic	Ignored
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

seth-arnold

openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. The upstream OpenSSH developers see this as an important security feature and do not intend to 'fix' it.

ccdm94

Reading through the comments in PR 270, which is now closed and has not been merged, it is possible to see that upstream does not plan on fixing this issue because it would introduce too many possible new problems.

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N