CVE-2003-1562
published 2003-12-31CVE-2003-1562: sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root…
PriorityP336high7.6CVSS 2.0
AVNACHAuNCCICAC
EPSS
5.57%
91.9th percentile
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
Affected
50 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:3.8.1p1-8.sarge.4 (bookworm) | openssh 1:3.8.1p1-8.sarge.4 (bookworm) |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
CVSS provenance
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
Red Hat
openssh information disclosure
vendor_redhat·2003-05-01·CVSS 5.0
CVE-2003-1562 [MEDIUM] openssh information disclosure
openssh information disclosure
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
Statement: The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which is in maintenance mode.
Debian
CVE-2003-1562: openssh - sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using ...
vendor_debian·2003·CVSS 5.0
CVE-2003-1562 [MEDIUM] CVE-2003-1562: openssh - sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using ...
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
Scope: local
bookworm: resolved (fixed in 1:3.8.1p1-8.sarge.4)
bullseye: resolved (fixed in 1:3.8.1p1-8.sarge.4)
forky: resolved (fixed in 1:3.8.1p1-8.sarge.4)
sid: resolved (fixed in 1:3.8.1p1-8.sarge.4)
trixie: resolved (fixed in 1:3.8.1p1-8.sarge.4)
GHSA
GHSA-49wx-627v-6mcq: sshd in OpenSSH 3
ghsa_unreviewed·2022-04-29·CVSS 5.0
CVE-2003-1562 [MEDIUM] CWE-362 GHSA-49wx-627v-6mcq: sshd in OpenSSH 3
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
OSV
CVE-2003-1562: sshd in OpenSSH 3
osv·2003-12-31·CVSS 5.0
CVE-2003-1562 [MEDIUM] CVE-2003-1562: sshd in OpenSSH 3
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
No detection rules found.
No public exploits indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747http://www.securityfocus.com/archive/1/320153http://www.securityfocus.com/archive/1/320302http://www.securityfocus.com/archive/1/320440http://www.securityfocus.com/bid/7482https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747http://www.securityfocus.com/archive/1/320153http://www.securityfocus.com/archive/1/320302http://www.securityfocus.com/archive/1/320440http://www.securityfocus.com/bid/7482https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
2003-12-31
Published