BSA-2017-255
21653
21 March 2019
02 May 2017
Closed
Medium
7.8
Yes
CVE-2015-5600
Summary
Security Advisory ID : BSA-2017-255
Component : OpenSSH
Revision : 2.0: Final
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
Affected Products
Brocade Fabric OS - Impacted : Fixed in v7.4.2, v7.4.1d, v8.1.0 and later releases.
Products Confirmed Not Vulnerable
Brocade Network Advisor, Brocade SANnav
Workaround
Limit access to management interface using firewall and/or ipfilter.
Revision History
Version | Change | Date |
---|---|---|
1.0 | Initial Publication | May 2, 2017 |
2.0 | Updated Fabric OS version and to reflect Brocade Fibre Channel Products only. Risk Impact updated to Medium |
March 21, 2019 |