Vigil@nce - OpenSSH: bypassing MaxAuthTries via KbdInteractiveDevices
September 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can bypass the MaxAuthTries directive of OpenSSH, in
order to perform a brute force attack.
Impacted products: BIG-IP Hardware, TMOS, Fedora, FreeBSD, Copssh,
OpenSSH, Ubuntu.
Severity: 2/4.
Creation date: 20/07/2015.
DESCRIPTION OF THE VULNERABILITY
The OpenSSH server uses the MaxAuthTries configuration directive
to define the maximal number of authentication trials during a
session.
The OpenSSH client uses the KbdInteractiveDevices option to define
the list of authentication methods.
However, if the client uses "KbdInteractiveDevices=pam,pam,pam,etc.",
the number of MaxAuthTries is multiplied. The limit thus becomes
LoginGraceTime (10 minutes by default).
An attacker can therefore bypass the MaxAuthTries directive of
OpenSSH, in order to perform a brute force attack.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSH-bypassing-MaxAuthTries-via-KbdInteractiveDevices-17455