PatchSiren cyber security CVE debrief

CVE-2016-6210 Openbsd CVE debrief

CVE-2016-6210 is an information-disclosure issue in sshd from OpenSSH before 7.3. In the affected password-authentication path, when SHA256 or SHA512 are used for user password hashing, sshd uses a Blowfish hash of a static password for nonexistent usernames. That creates a measurable timing difference, especially with a large password, which remote attackers can use to enumerate valid usernames.

Vendor: Openbsd
Product: CVE-2016-6210
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running OpenSSH sshd on exposed systems, especially where username secrecy matters or where SSH is reachable from untrusted networks. Teams that rely on OpenSSH password authentication with SHA256/SHA512 hashing on affected versions should prioritize it.

Technical summary

The supplied NVD record describes a timing side channel in OpenSSH sshd before 7.3. The vulnerable behavior occurs when a login attempt targets a nonexistent username and the server follows a different password-hashing path than it does for existing users. NVD assigns CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-200, reflecting a remote confidentiality issue rather than code execution or service disruption. The affected version range in the supplied CPE data extends through OpenSSH 7.2.

Defensive priority

Medium, rising to high for internet-facing SSH services or environments where user enumeration materially increases attack surface.

Recommended defensive actions

Upgrade OpenSSH to 7.3 or later, or install the vendor backport that removes the timing difference.
Confirm your operating system or appliance has the fix applied even if the package version appears older than 7.3.
Restrict SSH exposure with firewall rules, VPN access, or allowlists where practical.
Review SSH authentication monitoring for repeated probes that may indicate username-enumeration attempts.
Use additional access controls such as MFA and strong rate-limiting around SSH authentication where supported.

Evidence notes

This debrief is based on the supplied NVD record and its linked references. The NVD description states that OpenSSH before 7.3 is affected, that the issue involves SHA256/SHA512 password hashing behavior for nonexistent usernames, and that timing differences can enable remote user enumeration. The supplied NVD metadata also lists affected CPE coverage through OpenSSH 7.2, a CVSS 3.0 vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, and CWE-200. The reference list includes the OpenSSH 7.3 release notes, Debian/Gentoo/Red Hat advisories, and an earlier July 2016 Full Disclosure thread, indicating public discussion before the CVE publication date.

Official resources

CVE-2016-6210 CVE record
CVE.org
CVE-2016-6210 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

The CVE was published in the supplied record on 2017-02-13 and later modified on 2026-05-13. The supplied reference list also includes a July 2016 Full Disclosure thread, showing the issue was discussed publicly before CVE publication. No C