Title: Red Hat PAM qpopper User Enumeration Vulnerability
Severity: HIGH
Description:
Qpopper is a widely used POP daemon for Unix systems.
When qpopper is used in conjunction with PAM on Red Hat systems, remote attackers can enumerate valid account usernames. This is due to different error messages being output when authentication attempts are made using valid and invalid usernames.
When a remote client attempts to authenticate using a valid username with an invalid password, the server outputs:
-ERR [AUTH] PAM authentication failed for user "validuser": Authentication failure (7)
When an authentication attempt is made with an invalid username, the server outputs:
-ERR [AUTH] Password supplied for "username" is incorrect.
By attempting to authenticate using various usernames and viewing the server responses, it is possible for a remote attacker to determine valid usernames on the system.
This information may make a brute force attack significantly more feasible.
Note: This vulnerability only affects qpopper when it is used with PAM. Red Hat systems are reported to be vulnerable.
Affected Products:
- Qualcomm qpopper 4.0.1
- RedHat Linux 7.0.0
- RedHat Linux 7.1.0
- Sun Cobalt RaQ 4
References:
- Qualcomm: Qpopper Homepage
- RedHat: Updates, Fixes, and Errata Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
