PT-2003-1109 · Openssh+1 · Openssh-Portable+1

Andrea Ghirardini

Published

2003-05-02

Updated

2024-07-08

CVE-2003-0190

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions OpenSSH-portable versions 3.6.1p1 and earlier

Description The issue allows remote attackers to determine valid usernames via a timing attack when a user does not exist, due to the immediate sending of an error message with PAM support enabled. This can lead to a violation of confidentiality. The vulnerability can be exploited remotely.

Recommendations For OpenSSH-portable versions 3.6.1p1 and earlier, consider disabling PAM support as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

ALT-PU-2024-3921

ALT-PU-2024-4077

ALT-PU-2024-4467

ALT-PU-2024-9513

BDU:2015-08184

BDU:2015-08187

BDU:2015-08190

BDU:2015-08193

BDU:2015-08196

CVE-2003-0190

Affected Products

Alt Linux

Openssh-Portable

PT-2003-1109 · Openssh+1 · Openssh-Portable+1

CVE-2003-0190

Weakness Enumeration

Related Identifiers

Affected Products

References · 25