DescriptionThe kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1500-1, DLA-288-1
Debian Bugs793616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)bullseye (security), bullseye1:8.4p1-5+deb11u3fixed
bookworm (security)1:9.2p1-2+deb12u3fixed
sid, trixie1:9.7p1-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[wheezy] - openssh <no-dsa> (Minor issue; not in default configurations)
Affects configurations that have KbdInteractiveAuthentication set
to yes. Default for KbdInteractiveAuthentication is to use whatever
value ChallengeResponseAuthentication is set to, which is 'no' in
default configurations in Debian.

Search for package or bug name: Reporting problems