CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSH Vulnerability Exposes Servers to Brute Force Attacks

A vulnerability in OpenSSH can be exploited to bypass the maximum number of authentication attempts and launch brute force attacks against a targeted server, a researcher has warned.

A vulnerability in OpenSSH can be exploited to bypass the maximum number of authentication attempts and launch brute force attacks against a targeted server, a researcher has warned.

OpenSSH is the OpenBSD Project’s free and open source implementation of the Secure Shell (SSH) cryptographic network protocol. OpenSSH provides traffic encryption, secure tunneling capabilities, and authentication methods. The software has been integrated into Linux and Apple’s Mac OS X operating systems, and products developed by companies such as Cisco, HP, IBM, Dell and Juniper Networks.

A researcher known as KingCope has found that the six authentication attempts allowed by default by OpenSSH before the connection is closed can be defeated by exploiting a vulnerability that allows an attacker to request a large number of password prompts.

According to the expert, a remote attacker could try out as many as 10,000 different passwords and they would only be limited by a “login grace time” setting, which by default is set to two minutes.

The vulnerability is related to the keyboard-interactive authentication mechanism and it can be exploited through the KbdInteractiveDevices option.

“The crucial part is that if the attacker requests 10000 keyboard-interactive devices, OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded,” the researcher explained in a blog post.

KingCope has published proof-of-concept (PoC) code to demonstrate the existence of the vulnerability in OpenSSH 6.9, the latest version of the software.

The vulnerability affects systems where keyboard-interactive authentication is enabled. The researcher successfully reproduced the bug on FreeBSD 10.1 and older versions of the operating system, including FreeBSD 6.2, which was released in 2007.

Advertisement. Scroll to continue reading.

The MITRE Corporation today assigned the CVE-2015-5600 identifier to this vulnerability.

“As far as we can tell, the essence of the vulnerability is that the client shouldn’t be able to specify an arbitrarily large number of KbdInteractiveDevices and be entitled to have the server cooperate,” said MITRE’s CVE assignment team.

A patch for this vulnerability has been created by OpenSSH developers and it will be included in OpenSSH 7.0, which is expected to be released in a few weeks.

In the meantime, some of the recommendations provided by experts for mitigating potential attacks include limiting access to SSH in the firewall, disabling password authentication for the root account, mitigating brute force attacks via intrusion detection systems (IDS), and using strong passwords.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.