CVE-2003-0190
published 2003-05-12CVE-2003-0190: OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote…
PriorityP432medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
76.75%
99.5th percentile
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
Affected
60 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:3.8.1p1-8.sarge.4 (bookworm) | openssh 1:3.8.1p1-8.sarge.4 (bookworm) |
| debian | openssh | < openssh 1:3.6p1-1 (bookworm) | openssh 1:3.6p1-1 (bookworm) |
| openbsd | openssh | < 3.6.1 | 3.6.1 |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH username enumeration by observing that invalid users were logged while valid users were not — correlate SSH auth log entries: absence of a log entry for a tested username may indicate a valid user was found. ↗
- →The Metasploit ssh_enumusers module sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication — detect malformed SSH public-key auth packets on port 22 as a sign of active enumeration. ↗
- →On systems with PermitRootLogin disabled, an attacker can brute-force the root password via timing: the TCP connection closes immediately on correct password but stays open on incorrect password — alert on rapid repeated root login attempts to SSH. ↗
- →Timing attack exploits measure response latency differences between valid and invalid usernames — a TIME_RANGE threshold of 3 seconds is used by PoC tools; monitor for SSH clients that make many sequential auth attempts with inter-attempt timing analysis patterns. ↗
- ·The Metasploit enumeration module requires public key authentication to be enabled on the target for the malformed-packet action to work. ↗
- ·Red Hat assessed the fix risk as greater than the low severity of the bug and had no plans to patch RHEL 2.1 and 3 — deployments on those platforms remain exposed. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
Ubuntu
OpenSSH information leakage
vendor_ubuntu·2004-11-30
CVE-2003-0190 OpenSSH information leakage
Title: OpenSSH information leakage
Summary: OpenSSH information leakage
@Mediaservice.net discovered two information leaks in the OpenSSH
server. When using password authentication, an attacker could
test whether a login name exists by measuring the time between
failed login attempts, i. e. the time after which the "password:"
prompt appears again.
A similar issue affects systems which do not allow root logins over
ssh ("PermitRootLogin no"). By measuring the time between login
attempts an attacker could check whether a given root password is
correct. This allowed determining weak root passwords using a brute
force attack.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
openssh information disclosure
vendor_redhat·2004-04-12·CVSS 5.0
CVE-2004-2760 [MEDIUM] openssh information disclosure
openssh information disclosure
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
Statement: The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.
Debian
CVE-2004-2760: openssh - sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the ...
vendor_debian·2004·CVSS 5.0
CVE-2004-2760 [MEDIUM] CVE-2004-2760: openssh - sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the ...
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
Scope: local
bookworm: resolved (fixed in 1:3.6p1-1)
bullseye: resolved (fixed in 1:3.6p1-1)
forky: resolved (fixed in 1:3.6p1-1)
sid: resolved (fixed in 1:3.6p1-1)
trixie: resolved (fixed in 1:3.6p1-1)
Red Hat
openssh information disclosure
vendor_redhat·2003-05-01·CVSS 5.0
CVE-2003-1562 [MEDIUM] openssh information disclosure
openssh information disclosure
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
Statement: The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which is in maintenance mode.
Red Hat
security flaw
vendor_redhat·2003-04-30·CVSS 5.0
CVE-2003-0190 [MEDIUM] security flaw
security flaw
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
Debian
CVE-2003-0190: openssh - OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediat...
vendor_debian·2003·CVSS 5.0
CVE-2003-0190 [MEDIUM] CVE-2003-0190: openssh - OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediat...
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
Scope: local
bookworm: resolved (fixed in 1:3.8.1p1-8.sarge.4)
bullseye: resolved (fixed in 1:3.8.1p1-8.sarge.4)
forky: resolved (fixed in 1:3.8.1p1-8.sarge.4)
sid: resolved (fixed in 1:3.8.1p1-8.sarge.4)
trixie: resolved (fixed in 1:3.8.1p1-8.sarge.4)
Debian
CVE-2003-1562: openssh - sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using ...
vendor_debian·2003·CVSS 5.0
CVE-2003-1562 [MEDIUM] CVE-2003-1562: openssh - sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using ...
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
Scope: local
bookworm: resolved (fixed in 1:3.8.1p1-8.sarge.4)
bullseye: resolved (fixed in 1:3.8.1p1-8.sarge.4)
forky: resolved (fixed in 1:3.8.1p1-8.sarge.4)
sid: resolved (fixed in 1:3.8.1p1-8.sarge.4)
trixie: resolved (fixed in 1:3.8.1p1-8.sarge.4)
GHSA
GHSA-49wx-627v-6mcq: sshd in OpenSSH 3
ghsa_unreviewed·2022-04-29·CVSS 5.0
CVE-2003-1562 [MEDIUM] CWE-362 GHSA-49wx-627v-6mcq: sshd in OpenSSH 3
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
GHSA
GHSA-xv6r-hw9g-7g96: sshd in OpenSSH 3
ghsa_unreviewed·2022-04-29·CVSS 5.0
CVE-2004-2760 [MEDIUM] GHSA-xv6r-hw9g-7g96: sshd in OpenSSH 3
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
GHSA
GHSA-32j7-fc74-pjwq: OpenSSH-portable (OpenSSH) 3
ghsa_unreviewed·2022-04-29
CVE-2003-0190 [MEDIUM] CWE-203 GHSA-32j7-fc74-pjwq: OpenSSH-portable (OpenSSH) 3
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
OSV
CVE-2004-2760: sshd in OpenSSH 3
osv·2004-12-31·CVSS 5.0
CVE-2004-2760 [MEDIUM] CVE-2004-2760: sshd in OpenSSH 3
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
OSV
CVE-2003-1562: sshd in OpenSSH 3
osv·2003-12-31·CVSS 5.0
CVE-2003-1562 [MEDIUM] CVE-2003-1562: sshd in OpenSSH 3
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
OSV
CVE-2003-0190: OpenSSH-portable (OpenSSH) 3
osv·2003-05-12·CVSS 5.0
CVE-2003-0190 [MEDIUM] CVE-2003-0190: OpenSSH-portable (OpenSSH) 3
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
No detection rules found.
Exploit-DB
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
exploitdb·2007-02-13·CVSS 5.0
CVE-2006-5229 [MEDIUM] Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
---
#!/bin/bash
#
# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $
#
# raptor_sshtime - [Open]SSH remote timing attack exploit
# Copyright (c) 2006 Marco Ivaldi
#
# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately
# sends an error message when a user does not exist, which allows remote
# attackers to determine valid usernames via a timing attack (CVE-2003-0190).
#
# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions,
# and possibly under limited configurations, allows remote attackers to
# determine valid usernames via timing discrepancies in which responses take
# longer for valid usernames than invalid ones, as demonstrated by sshtime.
# NOTE: as of 20061014, it appears
Exploit-DB
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident
exploitdb·2003-05-02
CVE-2003-0190 OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident
---
#!/bin/sh
# OpenSSH "
exit 1
}
# Verify the arguments.
[ $# != 2 ] && usage
# Variables.
USER="$1"
HOST="$2"
#=-=-=-=-=-=-=-=-=-=-=-=-=#
# Expect script functions #
#=-=-=-=-=-=-=-=-=-=-=-=-=#
# Expect script for password.
expasswd() {
cat expasswd
spawn $SSHCMD
expect password:
send '\r'
interact
EOF
}
# Expect script for error.
experror() {
cat experror
spawn expect -f expasswd
expect again.
exit 1593
interact
EOF
}
#=-=-=-=-=-=-=-=-=-=#
# -Fake user timing #
#=-=-=-=-=-=-=-=-=-=#
# OpenSSH client command for inexisting user.
export SSHCMD="ssh nicolas_couture@$HOST"
# Build new expect script.
expasswd
experror
# Timing.
FDATE0=`date '+%s'`
echo "[-] Calculating fake user timeout..."
expect -f experror 1> /dev/null 2> /de
Exploit-DB
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool
exploitdb·2003-04-30
CVE-2003-0190 OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool
---
/*
* SSH_BRUTE - OpenSSH/PAM
* Proof of concept code by Maurizio Agazzini
*
* Tested against Red Hat, Mandrake, and Debian GNU/Linux.
*
* Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
*
* $ tar xvfz openssh-3.6.1p1.tar.gz
* $ patch -p0
#include
#include
/* an illegal user */
#define NO_USER "not_val_user"
/* path of the patched ssh */
#define PATH_SSH "./ssh"
/* max time range for invalid user */
#define TIME_RANGE 3
int main(int argc, char *argv[])
{
FILE * in;
char buffer[2000], username[100], *host;
int time_non_valid = 0, time_user = 0;
int version = 1, i = 0, ret;
fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM \n\n", argv[0]);
exit(-1);
}
version = atoi(argv[1]);
host = argv[3];
if ( ( in = fopen(argv[2]
Metasploit
SSH Username Enumeration
metasploit
SSH Username Enumeration
SSH Username Enumeration
This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.
Bugzilla
CVE-2003-0190 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2003-0190 [MEDIUM] CVE-2003-0190 security flaw
CVE-2003-0190 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
Bugzilla
CVE-2004-2760 openssh information disclosure
bugzilla·2008-08-04·CVSS 5.0
CVE-2004-2760 [MEDIUM] CVE-2004-2760 openssh information disclosure
CVE-2004-2760 openssh information disclosure
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately
closes the TCP connection after a root login attempt with the correct
password, but leaves the connection open after an attempt with an
incorrect password, which makes it easier for remote attackers to
guess the password by observing the connection state, a different
vulnerability than CVE-2003-0190. NOTE: it could be argued that in
most environments, this does not cross privilege boundaries without
requiring leverage of a separate vulnerability.
Discussion:
Statement:
The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.
Bugzilla
CVE-2003-1562 openssh information disclosure
bugzilla·2008-08-04·CVSS 5.0
CVE-2003-1562 [MEDIUM] CVE-2003-1562 openssh information disclosure
CVE-2003-1562 openssh information disclosure
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled
and using PAM keyboard-interactive authentication, does not insert a
delay after a root login attempt with the correct password, which
makes it easier for remote attackers to use timing differences to
determine if the password step of a multi-step authentication is
successful, a different vulnerability than CVE-2003-0190.
Discussion:
Statement:
The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which is in maintenance mode.
CWE
Exposure of Sensitive Information to an Unauthorized Actor
mitre_cwe
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include: private, personal information, such as personal messages, financial data, health records, geographic location, or contact details system status and environment, such as the operating system and installed packages business secrets and intellectual property network status and confi
CWE
Observable Timing Discrepancy
mitre_cwe
CWE-208 Observable Timing Discrepancy
CWE-208: Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.
Modes of Introduction:
Phase: Architecture and Design
Note: COMMISSION: This weakness refers to an inc
CWE
Observable Discrepancy
mitre_cwe
CWE-203 Observable Discrepancy
CWE-203: Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Discrepancies can take many forms, and variations may be detectable in timing, control flow, communications such as replies or requests, or general behavior. These discrepancies can reveal information about the product's operation or internal state to an unauthorized actor. In some cases, discrepancies can be used by attackers to form a side channel.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: Confidentiality, Access
CWE
Observable Internal Behavioral Discrepancy
mitre_cwe·CVSS 2.1
[LOW] CWE-206 Observable Internal Behavioral Discrepancy
CWE-206: Observable Internal Behavioral Discrepancy
The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.
Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be making progress can then be used to simplify or optimize the attack. For example, in a login procedure that requires a username and password, ultimately there is only one decision: success or failure. However, internally, two separate actions are performed: determining if the username exists, and checking if the password is correct. If the product behaves differently based on whether the username e
http://lab.mediaservice.net/advisory/2003-01-openssh.txthttp://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.htmlhttp://marc.info/?l=bugtraq&m=105172058404810&w=2http://marc.info/?l=bugtraq&m=106018677302607&w=2http://www.redhat.com/support/errata/RHSA-2003-222.htmlhttp://www.redhat.com/support/errata/RHSA-2003-224.htmlhttp://www.securityfocus.com/bid/7467http://www.turbolinux.com/security/TLSA-2003-31.txthttps://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A445http://lab.mediaservice.net/advisory/2003-01-openssh.txthttp://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.htmlhttp://marc.info/?l=bugtraq&m=105172058404810&w=2http://marc.info/?l=bugtraq&m=106018677302607&w=2http://www.redhat.com/support/errata/RHSA-2003-222.htmlhttp://www.redhat.com/support/errata/RHSA-2003-224.htmlhttp://www.securityfocus.com/bid/7467http://www.turbolinux.com/security/TLSA-2003-31.txthttps://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A445
2003-05-12
Published