ID CVE-2003-0190
Summary OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 3.4 p1
    cpe:2.3:a:openbsd:openssh:3.4p1
  • OpenBSD OpenSSH 3.6.1 p1
    cpe:2.3:a:openbsd:openssh:3.6.1p1
CVSS
Base: 5.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
exploit-db via4
  • description Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit. CVE-2003-0190,CVE-2006-5229. Remote exploits for multiple platform
    id EDB-ID:3303
    last seen 2016-01-31
    modified 2007-02-13
    published 2007-02-13
    reporter Marco Ivaldi
    source https://www.exploit-db.com/download/3303/
    title Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
  • description OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool. CVE-2003-0190. Remote exploit for linux platform
    id EDB-ID:25
    last seen 2016-01-31
    modified 2003-04-30
    published 2003-04-30
    reporter Maurizio Agazzini
    source https://www.exploit-db.com/download/25/
    title OpenSSH/PAM <= 3.6.1p1 - Remote Users Discovery Tool
  • description OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh). CVE-2003-0190. Remote exploit for linux platform
    id EDB-ID:26
    last seen 2016-01-31
    modified 2003-05-02
    published 2003-05-02
    reporter Nicolas Couture
    source https://www.exploit-db.com/download/26/
    title OpenSSH/PAM <= 3.6.1p1 - Remote Users Ident gossh.sh
metasploit via4
description This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.
id MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS
last seen 2019-03-24
modified 2018-09-15
published 2014-04-28
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
title SSH Username Enumeration
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-34-1.NASL
    description @Mediaservice.net discovered two information leaks in the OpenSSH server. When using password authentication, an attacker could test whether a login name exists by measuring the time between failed login attempts, i. e. the time after which the 'password:' prompt appears again. A similar issue affects systems which do not allow root logins over ssh ('PermitRootLogin no'). By measuring the time between login attempts an attacker could check whether a given root password is correct. This allowed determining weak root passwords using a brute force attack. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20650
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20650
    title Ubuntu 4.10 : openssh information leakage (USN-34-1)
  • NASL family Misc.
    NASL id OPENSSH_PAM_TIMING.NASL
    description The remote host seems to be running an SSH server that could allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a nonexistent login compared to the time it takes to refuse a bad password for a valid login. An attacker could use this flaw to set up a brute-force attack against the remote host.
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 11574
    published 2003-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11574
    title OpenSSH w/ PAM Multiple Timing Attack Weaknesses
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2003-224.NASL
    description Updated OpenSSH packages are now available. These updates close an information leak caused by sshd's interaction with the PAM system. OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. When configured to allow password-based or challenge-response authentication, sshd (the OpenSSH server) uses PAM (Pluggable Authentication Modules) to verify the user's password. Under certain conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid authentication attempt without first attempting authentication using PAM. If PAM is configured with its default failure delay, the amount of time sshd takes to reject an invalid authentication request varies widely enough that the timing variations could be used to deduce whether or not an account with a specified name existed on the server. This information could then be used to narrow the focus of an attack against some other system component. These updates contain backported fixes that cause sshd to always attempt PAM authentication when performing password and challenge-response authentication for clients.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12407
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12407
    title RHEL 2.1 : openssh (RHSA-2003:224)
  • NASL family Misc.
    NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL
    description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 55992
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55992
    title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
oval via4
accepted 2010-09-20T04:00:26.335-04:00
class vulnerability
contributors
  • name Jay Beale
    organization Bastille Linux
  • name Jay Beale
    organization Bastille Linux
  • name Thomas R. Jones
    organization Maitreya Security
  • name Jonathan Baker
    organization The MITRE Corporation
description OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
family unix
id oval:org.mitre.oval:def:445
status accepted
submitted 2003-08-29T12:00:00.000-04:00
title OpenSSH Indirect User Disclosure Vulnerability
version 37
packetstorm via4
data source https://packetstormsecurity.com/files/download/54435/openssh-timing.txt
id PACKETSTORM:54435
last seen 2016-12-05
published 2007-02-14
reporter Marco Ivaldi
source https://packetstormsecurity.com/files/54435/openssh-timing.txt.html
title openssh-timing.txt
redhat via4
advisories
  • rhsa
    id RHSA-2003:222
  • rhsa
    id RHSA-2003:224
refmap via4
bid 7467
bugtraq
  • 20030430 OpenSSH/PAM timing attack allows remote users identification
  • 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh)
fulldisc 20030430 OpenSSH/PAM timing attack allows remote users identification
misc http://lab.mediaservice.net/advisory/2003-01-openssh.txt
turbo TLSA-2003-31
Last major update 17-10-2016 - 22:30
Published 12-05-2003 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top