IBM AIX password enumeration
| aix-password-enumeration (15172) |  Low Risk |
Description:
IBM AIX could allow a remote attacker to determine valid passwords. If an account is disabled for remote login and an attacker supplies a valid username, AIX sends a different response depending on whether an invalid or valid password is submitted. This could allow a remote attacker to determine valid passwords and possibly gain unauthorized access to the system.
Consequences:
Bypass Security
Remedy:
No remedy available as of July 9, 2011.
References:
- BugTraq Mailing List, Fri Feb 06 2004 - 05:51:18 CST : AIX password enumeration possible.
- CVE-2004-0243: AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.
Platforms Affected:
- IBM AIX 4.3.3
- IBM AIX 5.1
Reported:
Feb 11, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net