A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses.
- CentOS6 based Unitrends' appliances (physical and/or virtual), fix is in openssh-5.3p1-123.el6_9. This was fixed in Unitrends software release-10.3.8. Please upgrade to latest release version.
- CentOS7 based Unitrends' appliances (physical and/or virtual), fix is in openssh-7.4p1-11.el7 and Unitrends' initial release of CentOS7 was with oepnssh-7.4p1-16.el7.
LINK TO ADVISORIES