Ubuntu 4.10 : openssh information leakage (USN-34-1)

Ubuntu Security Notice (C) 2004-2016 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.

Synopsis :

The remote Ubuntu host is missing one or more security-related

Description :

@Mediaservice.net discovered two information leaks in the OpenSSH
server. When using password authentication, an attacker could test
whether a login name exists by measuring the time between failed login
attempts, i. e. the time after which the 'password:' prompt appears

A similar issue affects systems which do not allow root logins over
ssh ('PermitRootLogin no'). By measuring the time between login
attempts an attacker could check whether a given root password is
correct. This allowed determining weak root passwords using a brute
force attack.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 20650 ()

Bugtraq ID:

CVE ID: CVE-2003-0190

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now