CVE-2013-4434 | Vulnerability Database | Aqua Security

Dropbear SSH Server before 2013.59 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to discover valid usernames.

Affected Software

Name	Vendor	Start Version	End Version
Dropbear_ssh	Dropbear_ssh_project	*	2013.59 (excluding)
Dropbear	Ubuntu	lucid	*
Dropbear	Ubuntu	precise	*
Dropbear	Ubuntu	quantal	*
Dropbear	Ubuntu	raring	*
Dropbear	Ubuntu	saucy	*
Dropbear	Ubuntu	upstream	*

References

http://lists.opensuse.org/opensuse-updates/2013-10/msg00061.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00046.html
http://secunia.com/advisories/55173
http://www.openwall.com/lists/oss-security/2013/10/16/11
http://www.securityfocus.com/bid/62993
https://matt.ucc.asn.au/dropbear/CHANGES
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a
https://support.citrix.com/article/CTX216642
http://lists.opensuse.org/opensuse-updates/2013-10/msg00061.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00046.html
http://secunia.com/advisories/55173
http://www.openwall.com/lists/oss-security/2013/10/16/11
http://www.securityfocus.com/bid/62993
https://matt.ucc.asn.au/dropbear/CHANGES
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a
https://support.citrix.com/article/CTX216642

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-4434
CWE	https://cwe.mitre.org/data/definitions/189.html