OpenSSH w/ PAM Multiple Timing Attack Weaknesses

critical Nessus Plugin ID 11574


It is possible to enumerate valid users on the remote host.


The remote host seems to be running an SSH server that could allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a nonexistent login compared to the time it takes to refuse a bad password for a valid login.

An attacker could use this flaw to set up a brute-force attack against the remote host.


Disable PAM support if you do not use it, upgrade to the OpenSSH version 3.6.1p2 or later.

Plugin Details

Severity: Critical

ID: 11574

File Name: openssh_pam_timing.nasl

Version: 1.50

Type: remote

Family: Misc.

Published: 5/6/2003

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N


Risk Factor: Critical

Base Score: 9.4

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/28/2003

Reference Information

CVE: CVE-2003-0190, CVE-2003-1562

BID: 7342, 7467, 7482, 11781

CWE: 362