MEDIUM 5.3

CVE-2026-48859: Erlang/OTP SSH Timing Side-Channel Username Enumeration

A timing side-channel vulnerability in Erlang/OTP's SSH implementation allows attackers to discover valid usernames on an SSH server without authentication. When certain password authentication methods are enabled, the SSH daemon takes noticeably longer (~300ms) to reject logins for real usernames than for fake ones (~0ms). An attacker can exploit this timing difference to enumerate valid user accounts by measuring response times across many login attempts. The vulnerability only affects SSH servers using the legacy user_passwords or password configuration options, which are documented as test-only features; production deployments using the recommended pwdfun alternative are unaffected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-208
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-48859 is an observable timing discrepancy (CWE-208) in Erlang/OTP ssh modules ssh_auth and ssh_options. The vulnerability exists in the password authentication path: when user_passwords or password options are configured, the ssh_auth:check_password/3 function performs a computationally expensive PBKDF2-SHA256 operation with 600,000 iterations for valid usernames, incurring approximately 300ms latency. For invalid usernames, the ssh_options:get_password_option/2 function returns immediately without performing the key derivation, resulting in near-zero latency. This timing delta is statistically detectable in a single authentication attempt and enables username enumeration. The recommended pwdfun callback mechanism performs consistent-time validation and is not susceptible to this attack vector. The vulnerability affects Erlang/OTP versions 29.0.0 through 29.0.1 (ssh 6.0.0 through 6.0.0).

Business impact

Username enumeration undermines SSH access control security by reducing attacker reconnaissance effort. An adversary can systematically discover valid accounts before attempting password attacks, dictionary attacks, or social engineering—significantly improving campaign success rates. While the vulnerability requires network access and yields only account names (not credentials), the low barrier to exploitation and high value of discovered usernames make this a meaningful security concern for SSH-exposed systems. Organizations relying on username obscurity or rate-limiting as compensating controls should prioritize remediation. The impact is primarily confidentiality; integrity and availability are not directly threatened.

Affected systems

Erlang/OTP versions 29.0.0 and 29.0.1 with SSH module versions 6.0.0 are affected. Only SSH daemons explicitly configured with the user_passwords or password authentication options are vulnerable; these are documented legacy options intended for testing environments. Servers using the recommended pwdfun callback or other authentication methods (public key, keyboard-interactive without the vulnerable password options) are not affected. Organizations should audit SSH configurations for these specific options—they are typically absent in production deployments but may persist in development, staging, or inherited configurations.

Exploitability

Exploitability is straightforward and does not require authentication, special privileges, or user interaction. An attacker needs only network access to the SSH port and can execute the attack with standard SSH clients by measuring login attempt latency. No configuration bypass or cryptographic attacks are necessary. The timing difference is large enough (300ms vs. near-0ms) to be reliably detected over a network even with variable latency, though local or nearby network positions improve precision. The attack is passive from the server's perspective and leaves minimal forensic traces. Threat actors do not appear to be actively weaponizing this vulnerability according to available threat intelligence, and it is not tracked on the CISA KEV catalog, but the low technical barrier means rapid exploitation adoption is possible if the vulnerability gains prominence.

Remediation

Upgrade Erlang/OTP to version 29.0.2 or later, which addresses the timing discrepancy by ensuring consistent processing time regardless of username validity. Alternatively, migrate SSH authentication configurations from user_passwords or password options to the recommended pwdfun callback mechanism, which performs constant-time validation. Interim mitigation: disable user_passwords and password options and use alternative authentication methods (public key, Kerberos, or keyboard-interactive with custom callbacks). Organizations should verify that no legacy configurations remain after patching, as pre-existing systems may retain deprecated options in startup scripts or configuration management tools.

Patch guidance

Erlang/OTP 29.0.2 and later contain the fix. Verify your current version with `erl -version` (OTP version line) and `ssh:module_info(attributes)` within an Erlang shell to confirm ssh module version. Patch deployment requires restarting SSH services; plan accordingly for production systems. After patching, audit SSH daemon configuration files (typically /etc/ssh/sshd_config or application-specific SSH configs in Erlang deployments) to confirm user_passwords and password options are not present. If found, transition to pwdfun-based authentication. Consult the Erlang/OTP release notes for version 29.0.2 and the vendor advisory for detailed migration guidance.

Detection guidance

Detection focuses on configuration and suspicious login patterns. Review SSH configuration files for the presence of user_passwords or password options—these should trigger immediate investigation and remediation. At the network level, monitor for high-frequency SSH login attempts from a single source to a varying set of usernames with consistent timing probes; this pattern is characteristic of timing-based enumeration. SSH log analysis can identify repeated failed logins across multiple accounts from one IP, though the attack may use distributed sources. Implement SSH login rate limiting and IP-based access controls to raise attacker friction. If timing-based detection is needed, inspect SSH access logs for authentication events and correlate response times, though this requires custom instrumentation beyond standard sshd logging.

Why prioritize this

Priority should be moderate-to-high for systems explicitly using user_passwords or password SSH options, and low for all others. Assess your environment quickly: most production deployments will be unaffected because these options are legacy test mechanisms. For affected configurations, the ease of exploitation and direct value to attackers (account enumeration) warrant prompt patching. Organizations with public-facing SSH services, multiple user accounts, or reliance on username confidentiality should prioritize. The CVSS score of 5.3 (MEDIUM) reflects the confidentiality impact and low attack complexity, but is not on the CISA KEV catalog, suggesting no active exploitation in the wild at publication—a window to remediate before threat actor adoption.

Risk score, explained

CVE-2026-48859 carries a CVSS 3.1 score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This reflects network-accessible attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and a limited scope impact (S:U) affecting only confidentiality (C:L, impact is username disclosure). The score does not account for configuration prevalence or threat actor interest, which further reduce practical risk for most deployments. Organizations using the vulnerable configuration should treat as high-priority in their environment; others can deprioritize behind more impactful CVEs.

Frequently asked questions

Does this vulnerability affect my SSH server if I use public key authentication?

No. This timing side-channel only affects SSH servers explicitly configured with the user_passwords or password authentication options. Public key authentication, keyboard-interactive without these options, and GSSAPI methods are unaffected. Check your SSH configuration for these specific options to determine exposure.

What is the difference between the vulnerable user_passwords/password options and the recommended pwdfun?

Both are password authentication mechanisms in Erlang/OTP SSH. The user_passwords and password options are legacy, test-intended methods that perform password validation in different code paths, creating the timing discrepancy. The pwdfun callback is the modern alternative that provides custom password validation logic with consistent-time processing. Migrate to pwdfun for production deployments.

Can an attacker obtain actual passwords using this vulnerability?

No. This vulnerability reveals only valid usernames through timing analysis. Passwords remain protected by PBKDF2-SHA256 cryptography. However, username enumeration is a valuable first step in multi-stage attacks and significantly reduces attacker effort in brute-force and social engineering campaigns.

Is there a temporary workaround while I prepare to patch?

Yes. Disable the vulnerable user_passwords and password options in your SSH configuration and use an alternative authentication method (public key, Kerberos, keyboard-interactive with a custom callback, or GSSAPI). This eliminates the timing discrepancy entirely while you schedule Erlang/OTP upgrades.

This analysis is based on publicly available CVE data and vendor advisories as of the publication date. Verify all patch versions, affected product versions, and remediation steps against official Erlang/OTP and vendor security advisories before deploying changes. This vulnerability analysis does not constitute professional security advice or a risk assessment for your specific environment; conduct your own threat modeling and configuration audit. SEC.co does not endorse any particular remediation approach and recommends consulting with your security team and vendor support for deployment decisions. Information about active exploitation is based on available threat intelligence at publication and may not reflect current conditions. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).