CVE-2004-2760

Vulnerability

In OpenSSH 3.5p1, when PermitRootLogin is set to no, the SSH daemon (sshd) behaves differently after a root login attempt: if the password is correct, the TCP connection is closed immediately; if incorrect, the connection remains open for further authentication attempts. This behavioral difference allows an attacker to determine whether a guessed root password is valid by observing the connection state. The issue is distinct from CVE-2003-0190 [1].

Exploitation

An attacker with network access to the SSH service can perform a brute-force attack on the root password. For each guessed password, the attacker initiates an SSH connection as root. If the connection is closed immediately after the password prompt, the password is correct; if the connection remains open (allowing further prompts), the password is incorrect. This side-channel reduces the number of attempts needed to guess the password, though the attack is slow and generates logs [1].

Impact

Successful exploitation allows an attacker to determine the correct root password, leading to full remote compromise of the system with root privileges. The confidentiality, integrity, and availability impact is partial (CVSS 6.8). However, the vulnerability only aids password guessing; it does not bypass authentication or provide direct access without a valid password.

Mitigation

The vulnerability exists in OpenSSH 3.5p1. Later versions of OpenSSH have fixed this behavior. Users should upgrade to a patched version (e.g., OpenSSH 3.6.1p1 or later). For systems where upgrade is not immediately possible, enabling PermitRootLogin (if acceptable) or using key-based authentication can mitigate the information leak. The issue is noted as still present in FreeBSD-STABLE at the time of reporting [1]. No CISA KEV listing is known.