Red Hat Local Security Checks : RedHat Security Advisory RHSA-2003:224

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.50971

Categoría: Red Hat Local Security Checks

Título: RedHat Security Advisory RHSA-2003:224

Resumen: NOSUMMARY

Descripción: Description:

The remote host is missing updates announced in
advisory RHSA-2003:224.

OpenSSH is a suite of network connectivity tools that can be used to
establish encrypted connections between systems on a network and can
provide interactive login sessions and port forwarding, among other functions.

When configured to allow password-based or challenge-response
authentication, sshd (the OpenSSH server) uses PAM (Pluggable
Authentication Modules) to verify the user's password. Under certain
conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid
authentication attempt without first attempting authentication using PAM.

If PAM is configured with its default failure delay, the amount of time
sshd takes to reject an invalid authentication request varies widely enough
that the timing variations could be used to deduce whether or not an
account with a specified name existed on the server. This information
could then be used to narrow the focus of an attack against some other
system component.

These updates contain backported fixes that cause sshd to always attempt
PAM authentication when performing password and challenge-response
authentication for clients.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2003-224.html

Risk factor : Medium

CVSS Score:
5.0

Referencia Cruzada: BugTraq ID: 7482
BugTraq ID: 7342
Common Vulnerability Exposure (CVE) ID: CVE-2003-0190
BugTraq ID: 7467
http://www.securityfocus.com/bid/7467
Bugtraq: 20030430 OpenSSH/PAM timing attack allows remote users identification (Google Search)
http://marc.info/?l=bugtraq&m=105172058404810&w=2
Bugtraq: 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh) (Google Search)
http://marc.info/?l=bugtraq&m=106018677302607&w=2
http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.html
http://lab.mediaservice.net/advisory/2003-01-openssh.txt
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A445
http://www.redhat.com/support/errata/RHSA-2003-222.html
http://www.redhat.com/support/errata/RHSA-2003-224.html
TurboLinux Advisory: TLSA-2003-31
http://www.turbolinux.com/security/TLSA-2003-31.txt

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.50971
Categoría:	Red Hat Local Security Checks
Título:	RedHat Security Advisory RHSA-2003:224
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing updates announced in advisory RHSA-2003:224. OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. When configured to allow password-based or challenge-response authentication, sshd (the OpenSSH server) uses PAM (Pluggable Authentication Modules) to verify the user's password. Under certain conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid authentication attempt without first attempting authentication using PAM. If PAM is configured with its default failure delay, the amount of time sshd takes to reject an invalid authentication request varies widely enough that the timing variations could be used to deduce whether or not an account with a specified name existed on the server. This information could then be used to narrow the focus of an attack against some other system component. These updates contain backported fixes that cause sshd to always attempt PAM authentication when performing password and challenge-response authentication for clients. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date http://rhn.redhat.com/errata/RHSA-2003-224.html Risk factor : Medium CVSS Score: 5.0
Referencia Cruzada:	BugTraq ID: 7482 BugTraq ID: 7342 Common Vulnerability Exposure (CVE) ID: CVE-2003-0190 BugTraq ID: 7467 http://www.securityfocus.com/bid/7467 Bugtraq: 20030430 OpenSSH/PAM timing attack allows remote users identification (Google Search) http://marc.info/?l=bugtraq&m=105172058404810&w=2 Bugtraq: 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh) (Google Search) http://marc.info/?l=bugtraq&m=106018677302607&w=2 http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.html http://lab.mediaservice.net/advisory/2003-01-openssh.txt https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A445 http://www.redhat.com/support/errata/RHSA-2003-222.html http://www.redhat.com/support/errata/RHSA-2003-224.html TurboLinux Advisory: TLSA-2003-31 http://www.turbolinux.com/security/TLSA-2003-31.txt
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com