OpenSSH portable contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when PAM is enabled; remote users can determine which usernames are valid by looking at the relative time it takes to receive an error response from the system. When PAM is enabled, OpenSSH returns an error almost immediately if a user does not exist, and is slower if the user exists but the password is incorrect. This disparity in timing will disclose when the attacker hits upon a valid username, making brute-force username/password guessing easier and resulting in a loss of confidentiality.

Upgrade to version 3.6.1p2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by disabling PAM support.

• ISS X-Force ID: 11902
• Secunia Advisory ID: 13631 14352
• CVE ID: 2003-0190 (see also: NVD)
• Exploit Database: 25 26 3303
• Milw0rm: 25 26 3303
• Bugtraq ID: 7342 7467 7482
• Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747
• Generic Informational URL: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
  http://www.secunia.com/advisories/8720/
• Vendor Specific Advisory URL: http://www.vmware.com/support/kb/enduser/std_adp.php?p_sid=FsNALBWh&p_lva=&p_faqid=1533
  https://rhn.redhat.com/errata/RHSA-2003-222.html
  https://rhn.redhat.com/errata/RHSA-2003-224.html

• Marco Ivaldi - raptor0xdeadbeef.info - Antifork Research, Inc.
• Andrea Ghirardini - pilapilasecurity.com - Pila's Security Services
• Solar Designer - solarideal.ru -
• Maurizio Agazzini - inodemediaservice.net - Mediaservice.net Srl Data Security Division
• Marco Ivaldi - raptor0xdeadbeef.info - Antifork Research, Inc.
• Andrea Ghirardini - pilapilasecurity.com - Pila's Security Services
• Solar Designer - solarideal.ru -
• Maurizio Agazzini - inodemediaservice.net - Mediaservice.net Srl Data Security Division