Security Experts:

Connect with us

Hi, what are you looking for?



OpenSSH Vulnerability Exposes Servers to Brute Force Attacks

A vulnerability in OpenSSH can be exploited to bypass the maximum number of authentication attempts and launch brute force attacks against a targeted server, a researcher has warned.

A vulnerability in OpenSSH can be exploited to bypass the maximum number of authentication attempts and launch brute force attacks against a targeted server, a researcher has warned.

OpenSSH is the OpenBSD Project’s free and open source implementation of the Secure Shell (SSH) cryptographic network protocol. OpenSSH provides traffic encryption, secure tunneling capabilities, and authentication methods. The software has been integrated into Linux and Apple’s Mac OS X operating systems, and products developed by companies such as Cisco, HP, IBM, Dell and Juniper Networks.

A researcher known as KingCope has found that the six authentication attempts allowed by default by OpenSSH before the connection is closed can be defeated by exploiting a vulnerability that allows an attacker to request a large number of password prompts.

According to the expert, a remote attacker could try out as many as 10,000 different passwords and they would only be limited by a “login grace time” setting, which by default is set to two minutes.

The vulnerability is related to the keyboard-interactive authentication mechanism and it can be exploited through the KbdInteractiveDevices option.

“The crucial part is that if the attacker requests 10000 keyboard-interactive devices, OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded,” the researcher explained in a blog post.

KingCope has published proof-of-concept (PoC) code to demonstrate the existence of the vulnerability in OpenSSH 6.9, the latest version of the software.

The vulnerability affects systems where keyboard-interactive authentication is enabled. The researcher successfully reproduced the bug on FreeBSD 10.1 and older versions of the operating system, including FreeBSD 6.2, which was released in 2007.

The MITRE Corporation today assigned the CVE-2015-5600 identifier to this vulnerability.

“As far as we can tell, the essence of the vulnerability is that the client shouldn’t be able to specify an arbitrarily large number of KbdInteractiveDevices and be entitled to have the server cooperate,” said MITRE’s CVE assignment team.

A patch for this vulnerability has been created by OpenSSH developers and it will be included in OpenSSH 7.0, which is expected to be released in a few weeks.

In the meantime, some of the recommendations provided by experts for mitigating potential attacks include limiting access to SSH in the firewall, disabling password authentication for the root account, mitigating brute force attacks via intrusion detection systems (IDS), and using strong passwords.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.