CVE-2015-5600

openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices

Severity Score

8.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.

Vulnerabilidad en la función kbdint_next_device en auth2-chall.c en sshd en OpenSSH hasta la versión 6.9, no restringe correctamente el procesamiento de dispositivos de teclado interactivo con una única conexión, lo cual facilita a atacantes remotos ejecutar un ataque de fuerza bruta o causar una denegación de servicio (mediante el consumo de la CPU) a través de una lista larga y redundante en la opción ssh -oKbdInteractiveDevices, según lo demostrado por una modificación en el cliente que provee una contraseña diferente para cada uno de los elementos pam de la lista.

It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Complete

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-07-20 CVE Reserved
2015-07-28 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2024-08-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls
CWE-304: Missing Critical Step in Authentication

CAPEC

References (35)

URL	Tag	Source
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10697
http://openwall.com/lists/oss-security/2015/07/23/4	Mailing List
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/75990	Vdb Entry
http://www.securityfocus.com/bid/91787	Vdb Entry
http://www.securityfocus.com/bid/92012	Vdb Entry
http://www.securitytracker.com/id/1032988	Vdb Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952480
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05128992
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
https://kc.mcafee.com/corporate/index?page=content&id=SB10136
https://kc.mcafee.com/corporate/index?page=content&id=SB10157
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html	Mailing List
https://security.netapp.com/advisory/ntap-20151106-0001
https://support.apple.com/kb/HT205031
https://www.arista.com/en/support/advisories-notices/security-advisories/1174-security-advisory-12

URL	Date	SRC
http://seclists.org/fulldisclosure/2015/Jul/92	2024-08-06

URL	Date	SRC

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html	2022-12-13
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html	2022-12-13
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162955.html	2022-12-13
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html	2022-12-13
http://rhn.redhat.com/errata/RHSA-2016-0466.html	2022-12-13
http://www.ubuntu.com/usn/USN-2710-1	2022-12-13
http://www.ubuntu.com/usn/USN-2710-2	2022-12-13
https://security.gentoo.org/glsa/201512-04	2022-12-13
https://access.redhat.com/security/cve/CVE-2015-5600	2016-03-21
https://bugzilla.redhat.com/show_bug.cgi?id=1245969	2016-03-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				<= 6.9 Search vendor "Openbsd" for product "Openssh" and version " <= 6.9"		-		Affected