Bugzilla – Bug 63329
VUL-0: CVE-2003-0190: openssh: timing attacks possible
Last modified: 2021-10-13 11:35:15 UTC
Just the reincarnation of bug 60531 . Summary: remote timing attack against sshd are possible.
<!-- SBZ_reproduce --> -
This has nothing to do with ssh. This is a general problem with every application doing authentication stuff, even /bin/login. But since nobody else seems to see this, maybe we should ignore it, too.
Thorsten, we know. BTW, Ubuntu released an advisory for it: =========================================================== Ubuntu Security Notice USN-34-1 November 30, 2004 openssh information leakage CAN-2003-0190 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: openssh-server The problem can be corrected by upgrading the affected package to version 1:3.8.1p1-11ubuntu3.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: @Mediaservice.net discovered two information leaks in the OpenSSH server. When using password authentication, an attacker could test whether a login name exists by measuring the time between failed login attempts, i. e. the time after which the "password:" prompt appears again. A similar issue affects systems which do not allow root logins over ssh ("PermitRootLogin no"). By measuring the time between login attempts an attacker could check whether a given root password is correct. This allowed determining weak root passwords using a brute force attack. Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.1.diff.gz Size/MD5: 145620 71fa539badedbda58b58ef29139fd413 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.1.dsc Size/MD5: 878 5bdd27605cc38bce0cce01bcf9928808 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz Size/MD5: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d ...
http://www.securityfocus.com/bid/11781/discussion/ http://www.securityfocus.com/bid/7482/discussion/ http://www.securityfocus.com/bid/7467/discussion/
Petr, now since this issue got noticed publically did the OpenSSH folks react in some way?
Yes there is some fixes, but not in the final state. Openssh bugzilla: http://bugzilla.mindrot.org/show_bug.cgi?id=975 Mail thread about solving this bug. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=110392890022163&w=2
The problem fixing following patches: http://bugzilla.mindrot.org/attachment.cgi?id=766 http://bugzilla.mindrot.org/attachment.cgi?id=771 http://bugzilla.mindrot.org/attachment.cgi?id=775 Thomas, could I make security fix for all distros?
Good question. We decided it should be updated for SLES8 and SLES9 as well as STABLE. Box can be ignored. Ok?
SLES8 is not affected, I prepared fix for 9.1(=sles9) and 9.2 and submit it to stable. I appended 2 small patches (fixing restoring terminal setting after Ctrl+C during password prompt [#43309] and allowing users to see output from failing PAM session modules (openssh bugzilla#890).
perfect.
SM-Tracker-349
`patchinfo-box9.1und9.1.openssh' -> `/work/src/done/PATCHINFO/patchinfo-box9.1und9.1.openssh' `patchinfo-sles9.openssh' -> `/work/src/done/PATCHINFO/patchinfo-sles9.openssh'
fixed packages approved.
CVE-2003-0190: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)