[v3.1] OpenSSH: keyboard-interactive authentication brute force vulnerability (CVE-2015-5600)
OpenSSH has a default value of six authentication tries before it will
close the connection (the ssh client allows only three password
entries per default).
With this vulnerability an attacker is able to request as many
password prompts limited by the “login graced time” setting, that is
set to two minutes by default.
Especially FreeBSD systems are affected by the vulnerability because
they have keyboard-interactive authentication enabled by default.
A simple way to exploit the bug is to execute this command:
ssh -lusername -oKbdInteractiveDevices=`perl -e ‘print “pam,” x
10000’` targethost
This will effectively allow up to 10000 password entries limited by
the login grace time setting.
The crucial part is that if the attacker requests 10000
keyboard-interactive devices openssh will gracefully execute the
request and will be inside a loop to accept passwords until the
specified devices are exceeded.
Reference:
http://seclists.org/fulldisclosure/2015/Jul/92
(from redmine: issue id 4476, created on 2015-07-24, closed on 2015-07-31)
- Relations:
- parent #4473 (closed)
- Changesets:
- Revision 3885568b by Natanael Copa on 2015-07-30T14:38:40Z:
main/openssh: security fix for CVE-2015-5600
fixes #4476