The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

weakness alert CVE-2015-5600

OpenSSH: bypassing MaxAuthTries via KbdInteractiveDevices

Synthesis of the vulnerability

An attacker can bypass the MaxAuthTries directive of OpenSSH, in order to perform a brute force attack.
Severity of this announce: 2/4.
Creation date: 20/07/2015.
Références of this computer vulnerability: 9010048, bulletinoct2015, CERTFR-2015-AVI-431, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, cpujul2018, CVE-2015-5600, DLA-1500-1, DLA-1500-2, FEDORA-2015-11981, FEDORA-2015-13469, FreeBSD-SA-15:16.openssh, JSA10697, JSA10774, JSA10840, K17113, NTAP-20151106-0001, RHSA-2015:2088-06, RHSA-2016:0466-01, SB10157, SB10164, SOL17113, SUSE-SU-2015:1581-1, SYMSA1337, USN-2710-1, USN-2710-2, VIGILANCE-VUL-17455.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSH server uses the MaxAuthTries configuration directive to define the maximal number of authentication trials during a session.

The OpenSSH client uses the KbdInteractiveDevices option to define the list of authentication methods.

However, if the client uses "KbdInteractiveDevices=pam,pam,pam,etc.", the number of MaxAuthTries is multiplied. The limit thus becomes LoginGraceTime (10 minutes by default).

An attacker can therefore bypass the MaxAuthTries directive of OpenSSH, in order to perform a brute force attack.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability note impacts software or systems such as Blue Coat CAS, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, McAfee NSP, McAfee Web Gateway, Data ONTAP 7-Mode, OpenSSH, Oracle Communications, Solaris, pfSense, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer vulnerability announce is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this cybersecurity announce.

Solutions for this threat

OpenSSH: version 7.0.
The version 7.0 is fixed:
  http://www.openssh.com/

OpenSSH: patch for MaxAuthTries.
A patch is available in information sources.

OpenSSH: workaround for MaxAuthTries.
A workaround is to:
 - on FreeBSD : use the "overload" feature of the PF firewall
 - on other systems: use the firewall feature to limit the number of connections from an IP/network address
 - lower LoginGraceTime to 30 seconds.

Blue Coat Content Analysis System: fixed versions for OpenSSH.
Fixed versions are indicated in information sources.

Debian 8: new openssh packages.
New packages are available:
  Debian 8: openssh 1:6.7p1-5+deb8u7

F5 BIG-IP: solution for OpenSSH.
The solution is indicated in information sources.

Fedora: new openssh packages.
New packages are available:
  Fedora 21: openssh 6.6.1p1-16.fc21
  Fedora 22: openssh 6.9p1-3.fc22

FreeBSD: patch for OpenSSH.
A patch is available:
  https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
  https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch
  https://security.FreeBSD.org/patches/SA-15:16/openssh.patch

ITeFix Copssh: version 5.3.0.
The version 5.3.0 is fixed:
  https://www.itefix.net/software

Juniper Junos: fixed versions for OpenSSH.
Fixed versions are indicated in information sources.

Juniper NSM Appliance: patch for Upgrade Package v3.
A patch is available:
  http://www.juniper.net/support/downloads/?p=nsm#sw

Junos Space Security Director and Log Collector: version 17.2R1.
The version 17.2R1 is fixed.

McAfee Network Security Platform: fixed versions for OpenSSH.
Fixed versions are indicated in information sources.

McAfee Web Gateway: versions 7.5.2.9 and 7.6.2.1.
Versions 7.5.2.9 and 7.6.2.1 are fixed:
  https://kc.mcafee.com/corporate/index?page=content&id=KB56057

NetApp Data ONTAP: patch for OpenSSH MaxAuthTries.
A patch is available:
  Data ONTAP Edge: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=930626

Oracle Communications: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2410237.1
  https://support.oracle.com/rs?type=doc&id=2406191.1
  https://support.oracle.com/rs?type=doc&id=2410234.1
  https://support.oracle.com/rs?type=doc&id=2408211.1
  https://support.oracle.com/rs?type=doc&id=2406689.1
  https://support.oracle.com/rs?type=doc&id=2408212.1
  https://support.oracle.com/rs?type=doc&id=2410243.1
  https://support.oracle.com/rs?type=doc&id=2410198.1

pfSense: version 2.2.5.
The version 2.2.5 is fixed:
  https://pfsense.org/download/

RHEL 6: new openssh packages.
New packages are available:
  RHEL 6: openssh 5.3p1-114.el6_7

RHEL 7: new openssh packages.
New packages are available:
  RHEL 7: openssh 6.6.1p1-22.el7

Solaris: patch for Third Party (10/2015).
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 11 SP3: new openssh packages.
New packages are available:
  SUSE LE 11 SP3: openssh 6.2p2-0.21.1

Ubuntu: new openssh-server packages.
New packages are available:
  Ubuntu 15.04: openssh-server 1:6.7p1-5ubuntu1.3
  Ubuntu 14.04 LTS: openssh-server 1:6.6p1-2ubuntu2.3
  Ubuntu 12.04 LTS: openssh-server 1:5.9p1-5ubuntu1.7
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability patch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.