8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:N/A:C
0.164 Low
EPSS
Percentile
95.9%
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through
6.9 does not properly restrict the processing of keyboard-interactive
devices within a single connection, which makes it easier for remote
attackers to conduct brute-force attacks or cause a denial of service (CPU
consumption) via a long and duplicative list in the ssh
-oKbdInteractiveDevices option, as demonstrated by a modified client that
provides a different password for each pam element on this list.
Author | Note |
---|---|
tyhicks | Only affects systems with KbdInteractiveAuthentication set to ‘yes’. By default, that option is set to ‘no’ in Ubuntu. |
seclists.org/fulldisclosure/2015/Jul/92
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600
kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
launchpad.net/bugs/cve/CVE-2015-5600
nvd.nist.gov/vuln/detail/CVE-2015-5600
security-tracker.debian.org/tracker/CVE-2015-5600
ubuntu.com/security/notices/USN-2710-1