AIX Remote Login Disable Password Verification Disclosure

2004-02-03T00:00:00
ID OSVDB:6929
Type osvdb
Reporter Scott Jefferd(scott.jefferd@cantire.com)
Modified 2004-02-03T00:00:00

Description

Vulnerability Description

IBM AIX contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker attempts to login to an account which has remote login disabled. If the userid and password combination is correct the operating system will respond with a text saying that remote logins are disabled. The attacker can thus brute-force or verify a password resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): implement better password policies making it harder to guess password or refrain from disabling remote login

Short Description

IBM AIX contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker attempts to login to an account which has remote login disabled. If the userid and password combination is correct the operating system will respond with a text saying that remote logins are disabled. The attacker can thus brute-force or verify a password resulting in a loss of confidentiality.

References:

Mail List Post: http://seclists.org/lists/security-basics/2004/Feb/0157.html Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=107583269206044&w=2 ISS X-Force ID: 15172 CVE-2004-0243