CVE-2015-5600

NameCVE-2015-5600
DescriptionThe kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1500-1, DLA-288-1
NVD severityhigh (attack range: remote)
Debian Bugs793616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)jessie1:6.7p1-5+deb8u4vulnerable
jessie (security)1:6.7p1-5+deb8u8fixed
stretch (security), stretch1:7.4p1-10+deb9u6fixed
buster1:7.9p1-10fixed
bullseye, sid1:8.0p1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsource(unstable)1:6.9p1-1high793616
opensshsourcejessie1:6.7p1-5+deb8u6highDLA-1500-1
opensshsourcesqueeze1:5.5p1-6+squeeze6highDLA-288-1

Notes

[wheezy] - openssh <no-dsa> (Minor issue; not in default configurations)
http://seclists.org/fulldisclosure/2015/Jul/92
Affects configurations that have KbdInteractiveAuthentication set
to yes. Default for KbdInteractiveAuthentication is to use whatever
value ChallengeResponseAuthentication is set to, which is 'no' in
default configurations in Debian.

Search for package or bug name: Reporting problems