Vulnerability CVE-2004-0243

Vulnerability Name:

CVE-2004-0243 (CCN-15058)

Assigned:

2004-01-31

Published:

2004-01-31

Updated:

2017-07-11

Summary:

AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Obtain Information

References:

Source: CCN
Type: BugTraq Mailing List, Sat Jan 31 2004 - 03:54:12 CST
sqwebmail web login

Source: BUGTRAQ
Type: UNKNOWN
20040206 AIX password enumeration possible

Source: MITRE
Type: CNA
CVE-2004-0243

Source: MITRE
Type: CNA
CVE-2004-2313

Source: BUGTRAQ
Type: UNKNOWN
20040203 Re: sqwebmail web login

Source: CCN
Type: BugTraq Mailing List, 2004-02-03 14:40:24
Re: sqwebmail web login

Source: CCN
Type: OSVDB ID: 19833
SqWebMail Error Message Account Enumeration

Source: CCN
Type: BID-9541
SqWebMail Authentication Response Information Leakage Weakness

Source: XF
Type: UNKNOWN
sqwebmail-login-info-disclosure(15058)

Source: XF
Type: UNKNOWN
aix-password-enumeration(15172)

Vulnerable Configuration:

Configuration 1:

cpe:/o:ibm:aix:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Vulnerability Name:

CVE-2004-0243 (CCN-15172)

Assigned:

2004-02-11

Published:

2004-02-11

Updated:

2004-02-11

Summary:

IBM AIX could allow a remote attacker to determine valid passwords. If an account is disabled for remote login and an attacker supplies a valid username, AIX sends a different response depending on whether an invalid or valid password is submitted. This could allow a remote attacker to determine valid passwords and possibly gain unauthorized access to the system.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Consequences:

Bypass Security

References:

Source: CCN
Type: BugTraq Mailing List, Fri Feb 06 2004 - 05:51:18 CST
AIX password enumeration possible

Source: MITRE
Type: CNA
CVE-2004-0243

Source: XF
Type: UNKNOWN
aix-password-enumeration(15172)

Vulnerable Configuration:

Configuration CCN 1:

cpe:/o:ibm:aix:5.1:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK