CVE-2015-5600

NameCVE-2015-5600
DescriptionThe kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-288-1
NVD severityhigh (attack range: remote)
Debian Bugs793616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)wheezy1:6.0p1-4+deb7u4vulnerable
wheezy (security)1:6.0p1-4+deb7u6vulnerable
jessie (security), jessie1:6.7p1-5+deb8u3vulnerable
stretch1:7.4p1-10+deb9u1fixed
buster, sid1:7.6p1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsource(unstable)1:6.9p1-1high793616
opensshsourcesqueeze1:5.5p1-6+squeeze6highDLA-288-1

Notes

[jessie] - openssh <no-dsa> (Minor issue; not in default configurations)
[wheezy] - openssh <no-dsa> (Minor issue; not in default configurations)
http://seclists.org/fulldisclosure/2015/Jul/92
Affects configurations that have KbdInteractiveAuthentication set
to yes. Default for KbdInteractiveAuthentication is to use whatever
value ChallengeResponseAuthentication is set to, which is 'no' in
default configurations in Debian.

Search for package or bug name: Reporting problems