Vulnerabilities > CVE-2003-0190 - Information Exposure Through Discrepancy vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh). CVE-2003-0190. Remote exploit for linux platform id EDB-ID:26 last seen 2016-01-31 modified 2003-05-02 published 2003-05-02 reporter Nicolas Couture source https://www.exploit-db.com/download/26/ title OpenSSH/PAM <= 3.6.1p1 - Remote Users Ident gossh.sh description Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit. CVE-2003-0190,CVE-2006-5229. Remote exploits for multiple platform id EDB-ID:3303 last seen 2016-01-31 modified 2007-02-13 published 2007-02-13 reporter Marco Ivaldi source https://www.exploit-db.com/download/3303/ title Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit description OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool. CVE-2003-0190. Remote exploit for linux platform id EDB-ID:25 last seen 2016-01-31 modified 2003-04-30 published 2003-04-30 reporter Maurizio Agazzini source https://www.exploit-db.com/download/25/ title OpenSSH/PAM <= 3.6.1p1 - Remote Users Discovery Tool
Metasploit
| description | This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV. |
| id | MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS |
| last seen | 2020-02-17 |
| modified | 2018-09-15 |
| published | 2014-04-28 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssh/ssh_enumusers.rb |
| title | SSH Username Enumeration |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-34-1.NASL description @Mediaservice.net discovered two information leaks in the OpenSSH server. When using password authentication, an attacker could test whether a login name exists by measuring the time between failed login attempts, i. e. the time after which the last seen 2020-06-01 modified 2020-06-02 plugin id 20650 published 2006-01-15 reporter Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20650 title Ubuntu 4.10 : openssh information leakage (USN-34-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-34-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20650); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:59"); script_cve_id("CVE-2003-0190"); script_xref(name:"USN", value:"34-1"); script_name(english:"Ubuntu 4.10 : openssh information leakage (USN-34-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "@Mediaservice.net discovered two information leaks in the OpenSSH server. When using password authentication, an attacker could test whether a login name exists by measuring the time between failed login attempts, i. e. the time after which the 'password:' prompt appears again. A similar issue affects systems which do not allow root logins over ssh ('PermitRootLogin no'). By measuring the time between login attempts an attacker could check whether a given root password is correct. This allowed determining weak root passwords using a brute force attack. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"openssh-client", pkgver:"3.8.1p1-11ubuntu3.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"openssh-server", pkgver:"3.8.1p1-11ubuntu3.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"ssh", pkgver:"3.8.1p1-11ubuntu3.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"ssh-askpass-gnome", pkgver:"3.8.1p1-11ubuntu3.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-client / openssh-server / ssh / ssh-askpass-gnome"); }NASL family Misc. NASL id OPENSSH_PAM_TIMING.NASL description The remote host seems to be running an SSH server that could allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a nonexistent login compared to the time it takes to refuse a bad password for a valid login. An attacker could use this flaw to set up a brute-force attack against the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 11574 published 2003-05-06 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11574 title OpenSSH w/ PAM Multiple Timing Attack Weaknesses code # # (C) Tenable Network Security, Inc. # if ( ! defined_func("bn_random") || ! defined_func("unixtime") ) exit(0); include("compat.inc"); if (description) { script_id(11574); script_version("1.49"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2003-0190", "CVE-2003-1562"); script_bugtraq_id(7342, 7467, 7482, 11781); script_name(english:"OpenSSH w/ PAM Multiple Timing Attack Weaknesses"); script_summary(english:"Checks the timing of the remote SSH server"); script_set_attribute(attribute:"synopsis", value:"It is possible to enumerate valid users on the remote host."); script_set_attribute(attribute:"description", value: "The remote host seems to be running an SSH server that could allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a nonexistent login compared to the time it takes to refuse a bad password for a valid login. An attacker could use this flaw to set up a brute-force attack against the remote host."); script_set_attribute(attribute:"solution", value: "Disable PAM support if you do not use it, upgrade to the OpenSSH version 3.6.1p2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(362); script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/05/06"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2020 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("ssh_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/ssh", 22); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); enable_ssh_wrappers(); if ( get_kb_item("Settings/PCI_DSS") ) banner_chk = TRUE; if ( supplied_logins_only ) banner_chk = TRUE; port = get_kb_item("Services/ssh"); if(!port)port = 22; banner = get_kb_item("SSH/banner/" + port); if ( ! banner ) exit(0); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( banner_chk ) { banner = tolower(get_backport_banner(banner:banner)); if(ereg(pattern:".*openssh[-_](([12]\..*)|(3\.[0-5][^0-9]*)|(3\.6\.[01]$))[^0-9]*", string:banner)) { security_warning(port); } exit(0); } maxdiff = 3; if ( ! thorough_tests ) if ( "openssh" >!< tolower(banner) ) exit(0); checking_default_account_dont_report = TRUE; _ssh_socket = open_sock_tcp(port); if ( ! _ssh_socket ) exit(0); then = unixtime(); ret = ssh_login(login:"nonexistent" + rand(), password:"n3ssus"); now = unixtime(); ssh_close_connection(); inval_diff = now - then; _ssh_socket = open_sock_tcp(port); if ( ! _ssh_socket ) exit(0); then = unixtime(); ret = ssh_login(login:"bin", password:"n3ssus"); now = unixtime(); val_diff = now - then; if ( ( val_diff - inval_diff ) >= maxdiff ) security_warning(port); ssh_close_connection();NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-224.NASL description Updated OpenSSH packages are now available. These updates close an information leak caused by sshd last seen 2020-06-01 modified 2020-06-02 plugin id 12407 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12407 title RHEL 2.1 : openssh (RHSA-2003:224)
Oval
| accepted | 2010-09-20T04:00:26.335-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| description | OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. | ||||||||||||||||
| family | unix | ||||||||||||||||
| id | oval:org.mitre.oval:def:445 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2003-08-29T12:00:00.000-04:00 | ||||||||||||||||
| title | OpenSSH Indirect User Disclosure Vulnerability | ||||||||||||||||
| version | 41 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/54435/openssh-timing.txt |
| id | PACKETSTORM:54435 |
| last seen | 2016-12-05 |
| published | 2007-02-14 |
| reporter | Marco Ivaldi |
| source | https://packetstormsecurity.com/files/54435/openssh-timing.txt.html |
| title | openssh-timing.txt |
Redhat
| advisories |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:64479 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-64479 title Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit bulletinFamily exploit description No description provided by source. id SSV:16847 last seen 2017-11-19 modified 2007-02-13 published 2007-02-13 reporter Root source https://www.seebug.org/vuldb/ssvid-16847 title Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit bulletinFamily exploit description No description provided by source. id SSV:6192 last seen 2017-11-19 modified 2007-02-14 published 2007-02-14 reporter Root source https://www.seebug.org/vuldb/ssvid-6192 title Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
References
- http://www.securityfocus.com/bid/7467
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.html
- http://lab.mediaservice.net/advisory/2003-01-openssh.txt
- http://www.redhat.com/support/errata/RHSA-2003-222.html
- http://www.redhat.com/support/errata/RHSA-2003-224.html
- http://www.turbolinux.com/security/TLSA-2003-31.txt
- http://marc.info/?l=bugtraq&m=105172058404810&w=2
- http://marc.info/?l=bugtraq&m=106018677302607&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A445
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf