[VIM] HP:HPSBTU02209 is probably for timing attacks

Steven M. Christey coley at mitre.org
Mon May 21 23:03:47 UTC 2007

HP:HPSBTU02209 is probably for timing attacks, which would also mean
that it's not related to CVE-2007-2243.

HPSBTU02209 says "The vulnerability could be exploited remotely by an
unauthorized user to identify valid users... This patch adds a new
keyword to the sshd2_config configuration file for the sshd2
daemon. The new keyword, AuthInteractiveFailureRandomTimeout , adds a
random delay to the existing AuthInteractiveFailureTimeout delay."

The use of random delays is a common defense against timing attacks,
which themselves are sometimes useful for username enumeration.

- Steve

More information about the VIM mailing list