FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices

Affected packages
openssh-portable < 6.9.p1_2,1
10.1 <= FreeBSD < 10.1_16
9.3 <= FreeBSD < 9.3_21
8.4 <= FreeBSD < 8.4_36

Details

VuXML ID 5b74a5bc-348f-11e5-ba05-c80aa9043978
Discovery 2015-07-21
Entry 2015-07-27
Modified 2016-08-09

It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.

References

CVE Name CVE-2015-5600
FreeBSD Advisory SA-15:16.openssh
URL https://access.redhat.com/security/cve/CVE-2015-5600