// For flags

CVE-2015-5600

openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices

Severity Score

8.5
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.

Vulnerabilidad en la función kbdint_next_device en auth2-chall.c en sshd en OpenSSH hasta la versión 6.9, no restringe correctamente el procesamiento de dispositivos de teclado interactivo con una única conexión, lo cual facilita a atacantes remotos ejecutar un ataque de fuerza bruta o causar una denegación de servicio (mediante el consumo de la CPU) a través de una lista larga y redundante en la opción ssh -oKbdInteractiveDevices, según lo demostrado por una modificación en el cliente que provee una contraseña diferente para cada uno de los elementos pam de la lista.

It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
Complete
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-07-20 CVE Reserved
  • 2015-07-28 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • 2024-08-12 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
  • CWE-304: Missing Critical Step in Authentication
CAPEC
References (35)
URL Tag Source
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10697
http://openwall.com/lists/oss-security/2015/07/23/4 Mailing List
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/75990 Vdb Entry
http://www.securityfocus.com/bid/91787 Vdb Entry
http://www.securityfocus.com/bid/92012 Vdb Entry
http://www.securitytracker.com/id/1032988 Vdb Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952480
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05128992
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
https://kc.mcafee.com/corporate/index?page=content&id=SB10136
https://kc.mcafee.com/corporate/index?page=content&id=SB10157
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html Mailing List
https://security.netapp.com/advisory/ntap-20151106-0001
https://support.apple.com/kb/HT205031
https://www.arista.com/en/support/advisories-notices/security-advisories/1174-security-advisory-12
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openbsd
Search vendor "Openbsd"
Openssh
Search vendor "Openbsd" for product "Openssh"
<= 6.9
Search vendor "Openbsd" for product "Openssh" and version " <= 6.9"
-
Affected