1. CVE-Search
  2. CVE-2003-0512
ID CVE-2003-0512
Summary Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge.
References
Vulnerable Configurations
  • cpe:2.3:o:cisco:ios:12.0\(24\)s1:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.0\(24\)s1:*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.0\(24.2\)s:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.0\(24.2\)s:*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.2\(11\)ja1:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.2\(11\)ja1:*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.2\(14.5\):*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.2\(14.5\):*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.2\(14.5\)t:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.2\(14.5\)t:*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.2\(15\)zn:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.2\(15\)zn:*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.2\(15.1\)s:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.2\(15.1\)s:*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.2\(16\)b:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.2\(16\)b:*:*:*:*:*:*:*
  • cpe:2.3:o:cisco:ios:12.2\(16.1\)b:*:*:*:*:*:*:*
    cpe:2.3:o:cisco:ios:12.2\(16.1\)b:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
oval via4
accepted 2008-09-08T04:00:48.595-04:00
class vulnerability
contributors
name Yuzheng Zhou
organization Hewlett-Packard
description Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge.
family ios
id oval:org.mitre.oval:def:5824
status accepted
submitted 2008-05-02T11:06:36.000-04:00
title Cisco IOS User Enumeration via Error Messages
version 3
refmap via4
cert-vn VU#886796
cisco 20030724 Enumerating Locally Defined Users in Cisco IOS
misc http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
vulnwatch 20030728 Cisco Aironet AP1100 Valid Account Disclosure Vulnerability
Last major update 11-10-2017 - 01:29
Published 27-08-2003 - 04:00
Last modified 11-10-2017 - 01:29
Back to Top