OpenSSH w/ PAM Multiple Timing Attack Weaknesses

Medium Nessus Plugin ID 11574


It is possible to enumerate valid users on the remote host.


The remote host seems to be running an SSH server that could allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a nonexistent login compared to the time it takes to refuse a bad password for a valid login.

An attacker could use this flaw to set up a brute-force attack against the remote host.


Disable PAM support if you do not use it, upgrade to the OpenSSH version 3.6.1p2 or later.

Plugin Details

Severity: Medium

ID: 11574

File Name: openssh_pam_timing.nasl

Version: $Revision: 1.46 $

Type: remote

Family: Misc.

Published: 2003/05/06

Modified: 2017/12/19

Dependencies: 10267

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:ND/RC:ND


Base Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2003/04/28

Reference Information

CVE: CVE-2003-0190, CVE-2003-1562

BID: 7342, 7467, 7482, 11781

OSVDB: 2109, 2140

CWE: 362