Description
Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.

When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.

The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.

This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.

This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.
Published: 2026-06-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a timing side‑channel in Erlang/OTP’s SSH authentication module that allows an attacker to distinguish valid usernames from invalid ones by measuring the time taken to compute PBKDF2‑SHA256 with 600,000 iterations for valid credentials versus an immediate return for invalid usernames. This flaw provides information disclosure by enabling remote username enumeration, which can aid further credential‑guessing or phishing attempts. The weakness is classified as CWE‑208 (Timing Guessing or Tampering).

Affected Systems

Erlang:OTP versions 29.0 through 29.0.1 and the corresponding SSH 6.0 implementation prior to version 6.0.1.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS data is not available, suggesting no publicly known exploits at this time and a lower likelihood of widespread use. The vulnerability is not listed in the CISA KEV catalog. An attacker can perform the enumeration from any remote host that can reach the SSH port, using only a single authentication attempt to infer a username based on timing. No elevated privileges or code execution are required, but the information gained can accelerate subsequent attacks.

Generated by OpenCVE AI on June 10, 2026 at 17:51 UTC.

Remediation

Vendor Workaround

Use the pwdfun option instead of user_passwords for password authentication. The pwdfun callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity.

OpenCVE Recommended Actions

  • Apply the latest Erlang/OTP release (29.0.2 or later) or update SSH to version 6.0.1 or newer to eliminate the timing discrepancy.
  • Reconfigure SSH to use the pwdfun authentication callback instead of the user_passwords or password options, ensuring the function executes in constant time regardless of username validity.
  • Restrict access to the SSH service by firewall rules so that only trusted networks or hosts can connect, limiting the pool of potential attackers capable of measuring timing.

Generated by OpenCVE AI on June 10, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang\/ssh
CPEs cpe:2.3:a:erlang:erlang\/ssh:*:*:*:*:*:*:*:*
Vendors & Products Erlang erlang\/ssh
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Erlang otp
Vendors & Products Erlang erlang/otp
Erlang otp

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.
Title SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-208
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang/otp Erlang\/otp Erlang\/ssh Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-11T04:45:32.938Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48859

cve-icon Vulnrichment

Updated: 2026-06-10T16:19:38.063Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T16:17:12.373

Modified: 2026-06-15T18:23:51.770

Link: CVE-2026-48859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:00:07Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy