CVE-2016-20012

MEDIUM

OpenSSH <= 8.7 - Unauthenticated User Enumeration via Public Key Validation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20012. PoCs published by arturo-b-cmu.

AI-analyzed exploit summary This Python script performs SSH username enumeration by measuring response times for invalid password attempts, leveraging timing differences to identify valid usernames. It uses the `paramiko` library to automate connection attempts and calculates statistical metrics for analysis.

Description

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

Exploits (1)

nomisec SCANNER

by arturo-b-cmu · poc

https://github.com/arturo-b-cmu/cve-2016-20012

View Code ZIP pw:eip

This Python script performs SSH username enumeration by measuring response times for invalid password attempts, leveraging timing differences to identify valid usernames. It uses the `paramiko` library to automate connection attempts and calculates statistical metrics for analysis.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: SSH servers (unspecified version)

No auth needed

Prerequisites: Target SSH server IP/port · Wordlist of usernames · Network connectivity to the target

MITRE ATT&CK

T1087.001 - Local Account

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/openssh/openssh-portable/pull/270

Exploit, Third Party Advisory x_refsource_misc

https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265

Third Party Advisory x_refsource_misc

https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak

Exploit, Third Party Advisory x_refsource_misc

https://rushter.com/blog/public-ssh-keys/

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20211014-0005/

Issue Tracking, Third Party Advisory x_refsource_misc

https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097

Mailing List, Third Party Advisory x_refsource_misc

https://www.openwall.com/lists/oss-security/2018/08/24/1

Issue Tracking, Third Party Advisory x_refsource_misc

https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185

Scores

CVSS v3 5.3

EPSS 0.0504

EPSS Percentile 91.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (5)

netapp/clustered_data_ontap

netapp/hci_management_node

netapp/ontap_select_deploy_administration_utility

netapp/solidfire

openbsd/openssh < 8.7

Published Sep 15, 2021

Tracked Since Feb 18, 2026