cbcvebase.
CVE-2015-5600
published 2015-08-03

CVE-2015-5600: The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices…

PriorityP351high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
9.30%
94.7th percentile
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.

Affected

9 ranges
VendorProductVersion rangeFixed in
appleos_x_yosemite_v10.10.5_and_security_update_2015-006
debianopenssh< openssh 1:6.9p1-1 (bookworm)openssh 1:6.9p1-1 (bookworm)
openbsdopenssh<= 6.9
openbsdopenssh>= 0 < 1:6.9p1-11:6.9p1-1
openbsdopenssh>= 0 < 1:6.9p1-11:6.9p1-1
openbsdopenssh>= 0 < 1:6.9p1-11:6.9p1-1
openbsdopenssh>= 0 < 1:6.9p1-11:6.9p1-1
openbsdopenssh>= 0 < 1:6.6p1-2ubuntu2.31:6.6p1-2ubuntu2.3
openbsdopenssh>= 0 < 1:6.6p1-2ubuntu2.21:6.6p1-2ubuntu2.2

Detection & IOCsextracted from sources · hover to see the quote

commandssh -oKbdInteractiveDevices
path/etc/ssh/sshd_config
  • The attack exploits the kbdint_next_device function in auth2-chall.c by supplying a long, duplicative list of keyboard-interactive devices to bypass MaxAuthTries; detect SSH connections presenting an abnormally long or repeated KbdInteractiveDevices list.
  • Monitor for unusually high numbers of authentication attempts within a single SSH connection that exceed the configured MaxAuthTries value, which is the primary indicator of this bypass being exploited.
  • Alert on sshd CPU spikes correlated with keyboard-interactive authentication sessions, as the vulnerability can also be used for denial of service via CPU consumption.
  • Flag OpenSSH versions through 6.9 running with PAM-based password authentication (UsePAM yes / ChallengeResponseAuthentication yes) as vulnerable targets.
  • ·The vulnerability only affects non-default configurations where keyboard-interactive (PAM) authentication is enabled; default Red Hat Enterprise Linux 4, 5, 6, and 7 configurations are not affected.
  • ·Setting 'ChallengeResponseAuthentication no' in sshd_config mitigates the issue but disables keyboard-interactive authentication entirely.
  • ·Setting 'UsePAM no' in sshd_config also mitigates CVE-2015-5600 but at the cost of losing PAM framework features.
  • ·The upstream fix for CVE-2015-5600 introduced a regression causing random authentication failures in non-default configurations; a follow-on update (USN-2710-2) was required.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:L/Au:N/C:P/I:N/A:C
osv8.5HIGH
vendor_debian8.5HIGH
vendor_redhat8.5HIGH
vendor_cisco7.8HIGH
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.