CVE-2026-48859— Erlang/OTP 安全漏洞

SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration

Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.

N/A

通过时间差异性导致的信息暴露

Erlang/OTP 安全漏洞

Erlang/OTP是Erlang/OTP开源的一个JavaScript编写的处理处理异常的库。该库可以捕捉node.js内置API引发的异常。 Erlang/OTP ssh 6.0至6.0.1之前版本存在安全漏洞，该漏洞源于ssh_auth模块在密码认证中对有效用户名执行PBKDF2-SHA256计算，对无效用户名立即返回，存在可观察的时间差异，可能导致未经身份验证的远程攻击者通过定时侧信道枚举有效用户名。

N/A

N/A