OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices

2015-07-21T00:00:00
ID 5B74A5BC-348F-11E5-BA05-C80AA9043978
Type freebsd
Reporter FreeBSD
Modified 2016-08-09T00:00:00

Description

It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.