OpenSSH w/ PAM Username Validity Timing Attack

2003-04-30T04:08:04
ID OSVDB:2140
Type osvdb
Reporter Maurizio Agazzini(inode@mediaservice.net), Solar Designer(), Andrea Ghirardini(pila@pilasecurity.com), Marco Ivaldi(raptor@mediaservice.net)
Modified 2003-04-30T04:08:04

Description

Vulnerability Description

OpenSSH portable contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when PAM is enabled; remote users can determine which usernames are valid by looking at the relative time it takes to receive an error response from the system. When PAM is enabled, OpenSSH returns an error almost immediately if a user does not exist, and is slower if the user exists but the password is incorrect. This disparity in timing will disclose when the attacker hits upon a valid username, making brute-force username/password guessing easier and resulting in a loss of confidentiality.

Solution Description

Upgrade to version 3.6.1p2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by disabling PAM support.

Short Description

OpenSSH portable contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when PAM is enabled; remote users can determine which usernames are valid by looking at the relative time it takes to receive an error response from the system. When PAM is enabled, OpenSSH returns an error almost immediately if a user does not exist, and is slower if the user exists but the password is incorrect. This disparity in timing will disclose when the attacker hits upon a valid username, making brute-force username/password guessing easier and resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:14352 Secunia Advisory ID:13631 Nessus Plugin ID:11574 Nessus Plugin ID:12407 ISS X-Force ID: 11902 Generic Informational URL: http://lab.mediaservice.net/advisory/2003-01-openssh.txt Generic Informational URL: http://www.secunia.com/advisories/8720/ Generic Exploit URL: http://milw0rm.com/exploits/3303 CVE-2003-0190 Bugtraq ID: 7342 Bugtraq ID: 7467 Bugtraq ID: 7482