A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against server performing thousands of authentication requests remotely. The vulnerability affects the latest version of OpenSSH (Version 6.9), the MITRE coded the flaw as CVE-2015-5600.
OpenSSH is a software used to encrypt data traffic from clients to server, avoiding eavesdropping, and other attacks. It also provides several authentication methods and secure tunneling capabilities.
Generally, the OpenSSH software allows 3 to 6 Password login attempts before closing a connection, but the flaw discovered by the experts allows hacker to bypass this limitation and run brute-force attacks. This is the case of OpenSSH servers having keyboard-interactive authentication enabled, which can be exploited to carry out the brute force attack on OpenSSH protocol. Unfortunately, the keyboard-interactive authentication is enabled by default on many systems.
The vulnerability has been discovered by a researcher using the pseudonymous KingCope which explained that many systems are affected by the flaw including FreeBSD.
“OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default).With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default.Especially FreeBSD systems are affected by the vulnerability because they have keyboard-interactive authentication enabled by default.” explained KingCope in a blog post.
In order to exploit the bug, an attacker can execute the following command:
ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost
The above command allows up to 10000 password entries within two minutes limited by the login grace time setting.
“The crucial part is that if the attacker requests 10000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.” continues the expert.
In the meantime, below a few suggestion to mitigate the risks
(Security Affairs – openssh, hacking)