IBM OS/400 POP3 Server User Account/Profile Enumeration
Remote / Network Access
Loss of Confidentiality
OS/400 POP3 Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when malicious attacker attempts to log in, which will disclose username and password status information through the error messages resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Discovery of this issue is credited to "Shalom Carmel" <email@example.com>.
IBM iSeries AS400
IBM iSeries AS400 computers are reported prone to a remote information disclosure vulnerability. The issue exists in the POP3 service that is installed and runs by default on affected computers.
During authentication when a username is supplied the affected service will reply with overly verbose status messages.
A remote attacker may employ these status messages to aid in the disclosure of valid usernames during brute force attacks. Information that is harvested in this manner may then be used to aid in further attacks.
No exploit is required.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.