[VIM] HP:HPSBTU02209 is probably for timing attacks
Steven M. Christey
coley at mitre.org
Mon May 21 23:03:47 UTC 2007
HP:HPSBTU02209 is probably for timing attacks, which would also mean
that it's not related to CVE-2007-2243.
HPSBTU02209 says "The vulnerability could be exploited remotely by an
unauthorized user to identify valid users... This patch adds a new
keyword to the sshd2_config configuration file for the sshd2
daemon. The new keyword, AuthInteractiveFailureRandomTimeout , adds a
random delay to the existing AuthInteractiveFailureTimeout delay."
The use of random delays is a common defense against timing attacks,
which themselves are sometimes useful for username enumeration.
More information about the VIM