Lucene search

K
ubuntucveUbuntu.comUB:CVE-2015-5600
HistoryAug 02, 2015 - 12:00 a.m.

CVE-2015-5600

2015-08-0200:00:00
ubuntu.com
ubuntu.com
37

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:N/A:C

0.164 Low

EPSS

Percentile

95.9%

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through
6.9 does not properly restrict the processing of keyboard-interactive
devices within a single connection, which makes it easier for remote
attackers to conduct brute-force attacks or cause a denial of service (CPU
consumption) via a long and duplicative list in the ssh
-oKbdInteractiveDevices option, as demonstrated by a modified client that
provides a different password for each pam element on this list.

Notes

Author Note
tyhicks Only affects systems with KbdInteractiveAuthentication set to ‘yes’. By default, that option is set to ‘no’ in Ubuntu.
OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchopenssh< 1:5.9p1-5ubuntu1.6UNKNOWN
ubuntu14.04noarchopenssh< 1:6.6p1-2ubuntu2.2UNKNOWN
ubuntu15.04noarchopenssh< 1:6.7p1-5ubuntu1.2UNKNOWN

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:N/A:C

0.164 Low

EPSS

Percentile

95.9%

Related for UB:CVE-2015-5600