CVE-2015-5600

NameCVE-2015-5600
DescriptionThe kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1500-1, DLA-288-1
Debian Bugs793616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)buster1:7.9p1-10+deb10u2fixed
buster (security)1:7.9p1-10+deb10u4fixed
bullseye, bullseye (security)1:8.4p1-5+deb11u3fixed
bookworm, bookworm (security)1:9.2p1-2+deb12u2fixed
trixie1:9.6p1-4fixed
sid1:9.7p1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsourcesqueeze1:5.5p1-6+squeeze6DLA-288-1
opensshsourcejessie1:6.7p1-5+deb8u6DLA-1500-1
opensshsource(unstable)1:6.9p1-1793616

Notes

[wheezy] - openssh <no-dsa> (Minor issue; not in default configurations)
http://seclists.org/fulldisclosure/2015/Jul/92
Affects configurations that have KbdInteractiveAuthentication set
to yes. Default for KbdInteractiveAuthentication is to use whatever
value ChallengeResponseAuthentication is set to, which is 'no' in
default configurations in Debian.
Search for package or bug name: Reporting problems