CVE-2004-2760 in OpenSSH
Summary
by MITRE
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/05/2025
The vulnerability identified as CVE-2004-2760 affects the sshd component in OpenSSH version 3.5p1 and represents a timing-based side-channel attack that undermines authentication security. This flaw manifests when the PermitRootLogin directive is set to disabled, creating an inconsistent response behavior that inadvertently reveals information about authentication attempts. The vulnerability operates through a subtle but significant difference in connection handling between successful and failed root login attempts, making it particularly concerning for systems where SSH access is a primary attack vector.
The technical implementation of this vulnerability stems from the inconsistent connection management logic within the OpenSSH daemon. When a root login attempt is made with an incorrect password, the sshd process maintains the TCP connection open, allowing the attacker to observe the connection state and infer that the authentication attempt was processed. However, when a root login attempt succeeds with the correct password, the connection is immediately closed, creating a detectable timing difference that can be exploited by attackers. This behavior creates a timing channel that leaks information about whether the password was correct, effectively reducing the security of password-based authentication.
The operational impact of CVE-2004-2760 extends beyond simple credential guessing, as it provides attackers with a method to perform more sophisticated brute force attacks against root accounts. This vulnerability specifically affects systems where root login is disabled but password authentication remains enabled, making it particularly relevant for production environments that follow security best practices of disabling direct root access. The timing differences create a measurable advantage for attackers who can observe connection states, potentially reducing the time required to discover valid credentials through automated attacks. This issue is classified under CWE-203, which addresses information exposure through timing discrepancies, and aligns with ATT&CK technique T1110.001 for credential access through password guessing.
The security implications of this vulnerability are compounded by the fact that it operates without requiring additional privilege escalation or separate exploitation vectors. While some argue that this vulnerability does not cross traditional privilege boundaries without additional leverage, the timing channel it creates provides attackers with sufficient information to significantly reduce the complexity of password guessing attacks. The inconsistency in connection handling creates a predictable pattern that automated tools can exploit to determine the validity of authentication attempts, making this vulnerability particularly dangerous in environments where SSH access is a primary attack surface. Organizations implementing security controls should consider this vulnerability when assessing their SSH server configurations and implementing mitigation strategies that address timing-based information leakage.
Mitigation strategies for CVE-2004-2760 involve updating to OpenSSH versions that address this specific timing inconsistency, ensuring that all authentication attempts regardless of success or failure maintain consistent connection behavior. Administrators should also implement additional security measures such as account lockout mechanisms, fail2ban configurations, and monitoring for suspicious authentication patterns. The vulnerability demonstrates the importance of consistent security implementation across all aspects of authentication systems, including timing and connection management. Organizations should review their SSH configurations to ensure that all authentication attempts produce identical responses, preventing information leakage through timing channels that could be exploited by malicious actors.