Security Experts:

OpenSSH Vulnerability Exposes Servers to Brute Force Attacks

A vulnerability in OpenSSH can be exploited to bypass the maximum number of authentication attempts and launch brute force attacks against a targeted server, a researcher has warned.

OpenSSH is the OpenBSD Project’s free and open source implementation of the Secure Shell (SSH) cryptographic network protocol. OpenSSH provides traffic encryption, secure tunneling capabilities, and authentication methods. The software has been integrated into Linux and Apple’s Mac OS X operating systems, and products developed by companies such as Cisco, HP, IBM, Dell and Juniper Networks.

A researcher known as KingCope has found that the six authentication attempts allowed by default by OpenSSH before the connection is closed can be defeated by exploiting a vulnerability that allows an attacker to request a large number of password prompts.

According to the expert, a remote attacker could try out as many as 10,000 different passwords and they would only be limited by a “login grace time” setting, which by default is set to two minutes.

The vulnerability is related to the keyboard-interactive authentication mechanism and it can be exploited through the KbdInteractiveDevices option.

“The crucial part is that if the attacker requests 10000 keyboard-interactive devices, OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded,” the researcher explained in a blog post.

KingCope has published proof-of-concept (PoC) code to demonstrate the existence of the vulnerability in OpenSSH 6.9, the latest version of the software.

The vulnerability affects systems where keyboard-interactive authentication is enabled. The researcher successfully reproduced the bug on FreeBSD 10.1 and older versions of the operating system, including FreeBSD 6.2, which was released in 2007.

The MITRE Corporation today assigned the CVE-2015-5600 identifier to this vulnerability.

“As far as we can tell, the essence of the vulnerability is that the client shouldn't be able to specify an arbitrarily large number of KbdInteractiveDevices and be entitled to have the server cooperate,” said MITRE’s CVE assignment team.

A patch for this vulnerability has been created by OpenSSH developers and it will be included in OpenSSH 7.0, which is expected to be released in a few weeks.

In the meantime, some of the recommendations provided by experts for mitigating potential attacks include limiting access to SSH in the firewall, disabling password authentication for the root account, mitigating brute force attacks via intrusion detection systems (IDS), and using strong passwords.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.