CVE-2015-5600 in Ubuntu

CVE-2015-5600

Priority

Low

Description

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through
6.9 does not properly restrict the processing of keyboard-interactive
devices within a single connection, which makes it easier for remote
attackers to conduct brute-force attacks or cause a denial of service (CPU
consumption) via a long and duplicative list in the ssh
-oKbdInteractiveDevices option, as demonstrated by a modified client that
provides a different password for each pam element on this list.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600
http://seclists.org/fulldisclosure/2015/Jul/92
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
https://usn.ubuntu.com/usn/usn-2710-1

Notes

tyhicks> Only affects systems with KbdInteractiveAuthentication set to 'yes'.
By default, that option is set to 'no' in Ubuntu.

Assigned-to

mdeslaur

Package

Source: openssh (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 14.04 LTS (Trusty Tahr):	released (1:6.6p1-2ubuntu2.2)

Patches:

Upstream:	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h
Upstream:	https://github.com/openssh/openssh-portable/commit/5b64f85bb811246c59ebab70aed331f26ba37b18

More Information

Updated: 2017-12-15 20:34:30 UTC (commit 13913)