OpenSSH Flaw exposes servers to brute-force attacks

Pierluigi Paganini July 23, 2015

A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against servers.

A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against server performing thousands of authentication requests remotely.  The vulnerability affects the latest version of OpenSSH (Version 6.9), the MITRE coded the flaw as CVE-2015-5600.

OpenSSH is a software used to encrypt data traffic from clients to server, avoiding eavesdropping, and other attacks. It also provides several authentication methods and secure tunneling capabilities.

Generally, the OpenSSH software allows 3 to 6 Password login attempts before closing a connection, but the flaw discovered by the experts allows hacker to bypass this limitation and run brute-force attacks. This is the case of OpenSSH servers having keyboard-interactive authentication enabled, which can be exploited to carry out the brute force attack on OpenSSH protocol. Unfortunately, the keyboard-interactive authentication is enabled by default on many systems.


The vulnerability has been discovered by a researcher using the pseudonymous KingCope which explained that many systems are affected by the flaw including FreeBSD.

“OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default).With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default.Especially FreeBSD systems are affected by the vulnerability because they have keyboard-interactive authentication enabled by default.” explained KingCope in a blog post.

In order to exploit the bug, an attacker can execute the following command:

ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost

The above command allows up to 10000 password entries within two minutes limited by the login grace time setting.

“The crucial part is that if the attacker requests 10000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.” continues the expert.

Two minutes of ‘grace period’ and thousands of login attempts are enough to successfully run a brute-force attack by using a common dictionary.
The next release of the OpenSSH software, OpenSSH 7.0, will fix the problem including a patch. The new release is expected to be released in a few weeks.

In the meantime, below a few suggestion to mitigate the risks

  • Limit access to SSH by using a firewall.
  • Disable password authentication for the root account.
  • Use intrusion detection systems (IDS) to mitigate brute force attacks.
  • Use strong passwords.
  • Use a cryptographic  key pair that is at least 2,048 Bits in length.
  • Reduce the grace period to 20 or 30 seconds.
  • Use applications to controls and limit failed login attempts.

Pierluigi Paganini

(Security Affairs – openssh, hacking)

you might also like

leave a comment