HP Tru64 Valid User Enumeration Weakness

Bugtraq ID:	24021
Class:	Design Error
CVE:	CVE-2007-2791
Remote:	Yes
Local:	No
Published:	May 16 2007 12:00AM
Updated:	Jun 04 2007 09:40PM
Credit:	Andrea Purificato is credited with the discovery of this vulnerability.
Vulnerable:	HP Tru64 5.1 B-4 HP Tru64 5.1 B-3
Not Vulnerable:

HP Tru64 Valid User Enumeration Weakness

Hewlett Packard Tru64 is prone to an information-disclosure weakness.

An attacker can exploit this issue to enumerate valid user names. This may aid in further attacks.

HP Tru64 UNIX v5.1B-3 and v5.1B-4 are vulnerable.

HP Tru64 Valid User Enumeration Weakness

An attacker can use readily available network tools to exploit this weakness.

The following exploit is available:

• /data/vulnerabilities/exploits/24021.pl

HP Tru64 Valid User Enumeration Weakness

Solution:
HP has released an advisory along with fixes to address this issue. Please see the referenced advisory for information on obtaining and applying fixes.


HP Tru64 5.1 B-3

• HP T64KIT1001208-V51BB26-ES-20070427 Patch for HP Tru64 UNIX - SSRT071323: SSH Potential Remote Identif
  http://www4.itrc.hp.com/service/patch/patchDetail.do?BC=main|patchDeta il{T64KIT1001208-V51BB26-ES-20070427,{tru:tru64:5.1b,}}|&patchid=T64KI T1001208-V51BB26-ES-20070427&sel={tru:tru64:5.1b,}

HP Tru64 Valid User Enumeration Weakness

References:

• HPSBTU02209 SSRT071323 : HP Tru64 SSH Valid User Identification (HP)
  
• Welcome to Hewlett Packard (Hewlett Packard)