Описание
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 1:6.7p1-6ubuntu1 |
| esm-infra-legacy/trusty | released | 1:6.6p1-2ubuntu2.2 |
| precise | released | 1:5.9p1-5ubuntu1.6 |
| trusty | released | 1:6.6p1-2ubuntu2.2 |
| trusty/esm | released | 1:6.6p1-2ubuntu2.2 |
| upstream | needed | |
| vivid | released | 1:6.7p1-5ubuntu1.2 |
| vivid/stable-phone-overlay | ignored | end of life, was pending |
| vivid/ubuntu-core | released | 1:6.7p1-5ubuntu1.2 |
Показывать по
8.5 High
CVSS2
Связанные уязвимости
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH th ...
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
Уязвимость функции kbdint_next_device() службы sshd средства криптографической защиты OpenSSH, позволяющая нарушителю реализовать атаку методом «грубой силы» (brute force) или вызвать отказ в обслуживании
8.5 High
CVSS2