CVE-2003-0190 Information

Description

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist which allows remote attackers to determine valid usernames via a timing attack.

Reference

http://lab.mediaservice.net/advisory/2003-01-openssh.txt http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.html http://marc.info/?l=bugtraq&m=105172058404810&w=2 http://marc.info/?l=bugtraq&m=106018677302607&w=2 http://www.redhat.com/support/errata/RHSA-2003-222.html http://www.redhat.com/support/errata/RHSA-2003-224.html http://www.securityfocus.com/bid/7467 http://www.turbolinux.com/security/TLSA-2003-31.txt https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A445