OpenSSH w/ PAM Multiple Timing Attack Weaknesses

critical Nessus Plugin ID 11574

Language:

Synopsis

It is possible to enumerate valid users on the remote host.

Description

The remote host seems to be running an SSH server that could allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a nonexistent login compared to the time it takes to refuse a bad password for a valid login.

An attacker could use this flaw to set up a brute-force attack against the remote host.

Solution

Disable PAM support if you do not use it, upgrade to the OpenSSH version 3.6.1p2 or later.

Plugin Details

Severity: Critical

ID: 11574

File Name: openssh_pam_timing.nasl

Version: 1.50

Type: remote

Family: Misc.

Published: 5/6/2003

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Critical

Base Score: 9.4

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/28/2003

Reference Information

CVE: CVE-2003-0190, CVE-2003-1562

BID: 7342, 7467, 7482, 11781

CWE: 362

Detections

Analytics