Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2003-0190

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2003-0190
Last Modified 07 Mar 2011 09:12:15
Published 12 May 2003 12:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2003-0190

Summary

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

Vulnerable Systems

Application

  • Openbsd Openssh 3.4p1

  • Openbsd Openssh 3.6.1p1


References

BID - 7467

BUGTRAQ - 20030430 OpenSSH/PAM timing attack allows remote users identification

TURBO - TLSA-2003-31

REDHAT - RHSA-2003:224

REDHAT - RHSA-2003:222

BUGTRAQ - 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh)

MISC - http://lab.mediaservice.net/advisory/2003-01-openssh.txt


Last Updated: 27 May 2016 10:37:48