CVE-2007-2243

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Openssh	Openbsd	1.2 (including)	1.2 (including)
Openssh	Openbsd	1.2.1 (including)	1.2.1 (including)
Openssh	Openbsd	1.2.2 (including)	1.2.2 (including)
Openssh	Openbsd	1.2.3 (including)	1.2.3 (including)
Openssh	Openbsd	1.2.27 (including)	1.2.27 (including)
Openssh	Openbsd	2.1 (including)	2.1 (including)
Openssh	Openbsd	2.1.1 (including)	2.1.1 (including)
Openssh	Openbsd	2.2 (including)	2.2 (including)
Openssh	Openbsd	2.3 (including)	2.3 (including)
Openssh	Openbsd	2.5 (including)	2.5 (including)
Openssh	Openbsd	2.5.1 (including)	2.5.1 (including)
Openssh	Openbsd	2.5.2 (including)	2.5.2 (including)
Openssh	Openbsd	2.9 (including)	2.9 (including)
Openssh	Openbsd	2.9.9 (including)	2.9.9 (including)
Openssh	Openbsd	2.9.9p2 (including)	2.9.9p2 (including)
Openssh	Openbsd	2.9p1 (including)	2.9p1 (including)
Openssh	Openbsd	2.9p2 (including)	2.9p2 (including)
Openssh	Openbsd	3.0 (including)	3.0 (including)
Openssh	Openbsd	3.0.1 (including)	3.0.1 (including)
Openssh	Openbsd	3.0.1p1 (including)	3.0.1p1 (including)
Openssh	Openbsd	3.0.2 (including)	3.0.2 (including)
Openssh	Openbsd	3.0.2p1 (including)	3.0.2p1 (including)
Openssh	Openbsd	3.0p1 (including)	3.0p1 (including)
Openssh	Openbsd	3.1 (including)	3.1 (including)
Openssh	Openbsd	3.1p1 (including)	3.1p1 (including)
Openssh	Openbsd	3.2 (including)	3.2 (including)
Openssh	Openbsd	3.2.2 (including)	3.2.2 (including)
Openssh	Openbsd	3.2.2p1 (including)	3.2.2p1 (including)
Openssh	Openbsd	3.2.3p1 (including)	3.2.3p1 (including)
Openssh	Openbsd	3.3 (including)	3.3 (including)
Openssh	Openbsd	3.3p1 (including)	3.3p1 (including)
Openssh	Openbsd	3.4 (including)	3.4 (including)
Openssh	Openbsd	3.4p1 (including)	3.4p1 (including)
Openssh	Openbsd	3.5 (including)	3.5 (including)
Openssh	Openbsd	3.5p1 (including)	3.5p1 (including)
Openssh	Openbsd	3.6 (including)	3.6 (including)
Openssh	Openbsd	3.6.1 (including)	3.6.1 (including)
Openssh	Openbsd	3.6.1p1 (including)	3.6.1p1 (including)
Openssh	Openbsd	3.6.1p2 (including)	3.6.1p2 (including)
Openssh	Openbsd	3.7 (including)	3.7 (including)
Openssh	Openbsd	3.7.1 (including)	3.7.1 (including)
Openssh	Openbsd	3.7.1p1 (including)	3.7.1p1 (including)
Openssh	Openbsd	3.7.1p2 (including)	3.7.1p2 (including)
Openssh	Openbsd	3.8 (including)	3.8 (including)
Openssh	Openbsd	3.8.1 (including)	3.8.1 (including)
Openssh	Openbsd	3.8.1p1 (including)	3.8.1p1 (including)
Openssh	Openbsd	3.9 (including)	3.9 (including)
Openssh	Openbsd	3.9.1 (including)	3.9.1 (including)
Openssh	Openbsd	3.9.1p1 (including)	3.9.1p1 (including)
Openssh	Openbsd	4.0 (including)	4.0 (including)
Openssh	Openbsd	4.0p1 (including)	4.0p1 (including)
Openssh	Openbsd	4.1 (including)	4.1 (including)
Openssh	Openbsd	4.1p1 (including)	4.1p1 (including)
Openssh	Openbsd	4.2 (including)	4.2 (including)
Openssh	Openbsd	4.2p1 (including)	4.2p1 (including)
Openssh	Openbsd	4.3 (including)	4.3 (including)
Openssh	Openbsd	4.3p1 (including)	4.3p1 (including)
Openssh	Openbsd	4.3p2 (including)	4.3p2 (including)
Openssh	Openbsd	4.4 (including)	4.4 (including)
Openssh	Openbsd	4.4p1 (including)	4.4p1 (including)
Openssh	Openbsd	4.5 (including)	4.5 (including)
Openssh	Openbsd	4.6 (including)	4.6 (including)
Openssh	Ubuntu	dapper	*
Openssh	Ubuntu	devel	*
Openssh	Ubuntu	edgy	*
Openssh	Ubuntu	feisty	*
Openssh	Ubuntu	gutsy	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-2243
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

References

CVE-2007-2243

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References