CVE-2015-5600

Priority
Description
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through
6.9 does not properly restrict the processing of keyboard-interactive
devices within a single connection, which makes it easier for remote
attackers to conduct brute-force attacks or cause a denial of service (CPU
consumption) via a long and duplicative list in the ssh
-oKbdInteractiveDevices option, as demonstrated by a modified client that
provides a different password for each pam element on this list.
Assigned-to
mdeslaur
Notes
tyhicksOnly affects systems with KbdInteractiveAuthentication set to 'yes'.
By default, that option is set to 'no' in Ubuntu.
More Information

Updated: 2020-07-28 19:54:54 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)