CVE-2015-5600 (retired)

Priority
Description
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through
6.9 does not properly restrict the processing of keyboard-interactive
devices within a single connection, which makes it easier for remote
attackers to conduct brute-force attacks or cause a denial of service (CPU
consumption) via a long and duplicative list in the ssh
-oKbdInteractiveDevices option, as demonstrated by a modified client that
provides a different password for each pam element on this list.
Assigned-to
mdeslaur
Notes
tyhicksOnly affects systems with KbdInteractiveAuthentication set to 'yes'.
By default, that option is set to 'no' in Ubuntu.
More Information

Updated: 2019-10-09 07:53:27 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)