cbcvebase.
CVE-2003-0190
published 2003-05-12

CVE-2003-0190: OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote…

PriorityP432medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
76.75%
99.5th percentile
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

Affected

60 ranges· showing 25
VendorProductVersion rangeFixed in
debianopenssh< openssh 1:3.8.1p1-8.sarge.4 (bookworm)openssh 1:3.8.1p1-8.sarge.4 (bookworm)
debianopenssh< openssh 1:3.6p1-1 (bookworm)openssh 1:3.6p1-1 (bookworm)
openbsdopenssh< 3.6.13.6.1
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh

Detection & IOCsextracted from sources · hover to see the quote

path./ssh
othernot_val_user
othernicolas_couture
  • Detect SSH username enumeration by observing that invalid users were logged while valid users were not — correlate SSH auth log entries: absence of a log entry for a tested username may indicate a valid user was found.
  • The Metasploit ssh_enumusers module sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication — detect malformed SSH public-key auth packets on port 22 as a sign of active enumeration.
  • On systems with PermitRootLogin disabled, an attacker can brute-force the root password via timing: the TCP connection closes immediately on correct password but stays open on incorrect password — alert on rapid repeated root login attempts to SSH.
  • Timing attack exploits measure response latency differences between valid and invalid usernames — a TIME_RANGE threshold of 3 seconds is used by PoC tools; monitor for SSH clients that make many sequential auth attempts with inter-attempt timing analysis patterns.
  • ·The Metasploit enumeration module requires public key authentication to be enabled on the target for the malformed-packet action to work.
  • ·Red Hat assessed the fix risk as greater than the low severity of the bug and had no plans to patch RHEL 2.1 and 3 — deployments on those platforms remain exposed.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.