Bugzilla – Bug 938746
VUL-0: CVE-2015-5600: openssh: Keyboard-interactive authentication brute force vulnerability
Last modified: 2019-06-16 14:38:23 UTC
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ "With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default."
bugbot adjusting priority
CVE-2015-5600 was assigned
Created attachment 641785 [details] Upstream patch
REPRODUCER: ssh -ltux -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` localhost should not allow more than around 3 password entries.
Adjusting severity
SUSE-SU-2015:1544-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 903649,932483,936695,938746,943006,943010 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server 12 (src): openssh-6.6p1-29.1, openssh-askpass-gnome-6.6p1-29.1 SUSE Linux Enterprise Desktop 12 (src): openssh-6.6p1-29.1, openssh-askpass-gnome-6.6p1-29.1
SUSE-SU-2015:1547-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3 SUSE Linux Enterprise Server 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3
SUSE-SU-2015:1547-2: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Desktop 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssh-6.2p2-0.17.1, openssh-askpass-gnome-6.2p2-0.17.3
SUSE-SU-2015:1581-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 673532,903649,905118,914309,916549,932483,936695,938746,943006,943010,945493 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3 SUSE Linux Enterprise Server 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3 SUSE Linux Enterprise Desktop 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssh-6.2p2-0.21.1, openssh-askpass-gnome-6.2p2-0.21.3
Requesting a SLES11 SP1 LTSS patch for this.
(In reply to Haral Tsitsivas from comment #25) This doesn't qualify for a LTSS update, sorry
If you have a valid LTSS contract for the SLES11 SP1 LTSS codestream, request a PTF please via your regular support contact.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-10-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62308
SUSE-SU-2015:1695-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 903649,932483,936695,938746,939932,943006,943010,945484,945493,947458 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600,CVE-2015-6563,CVE-2015-6564 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3 SUSE Linux Enterprise Desktop 11-SP4 (src): openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssh-6.6p1-13.1, openssh-askpass-gnome-6.6p1-13.3
SUSE-SU-2015:1840-1: An update that solves three vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 673532,903649,905118,914309,932483,936695,938746 CVE References: CVE-2015-4000,CVE-2015-5352,CVE-2015-5600 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): openssh-5.1p1-41.69.1, openssh-askpass-gnome-5.1p1-41.69.4
I have a customer that is a LTSS contract customer and is requesting this fix get ported back to SLES 10 SP4. Should I use this same defect or do I need to create another one? please advise. Greg
*** Bug 951769 has been marked as a duplicate of this bug. ***
*** Bug 959298 has been marked as a duplicate of this bug. ***
*** Bug 966692 has been marked as a duplicate of this bug. ***
A maintenance update for Leap 42.1 was imported, a separate update for 13.2 was requested, we do not seem to have shipped it.
This is an autogenerated message for OBS integration: This bug (938746) was mentioned in https://build.opensuse.org/request/show/398334 13.2 / openssh
*** Bug 986650 has been marked as a duplicate of this bug. ***
Is a fix package for openSUSE 13.2 still planned? The request (https://build.opensuse.org/request/show/398334) seems to be declined...
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-01-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63340
Any update on OpenSUSE 13.2 patch for this? Current openssh version is 6.6p1-5.3.1, and it has the vulnerability. Or can someone refer me to a patch that works with the given version?
a 13.2 update is not planned anymore. opensuse 13.2 reached EOL in January
I am sorry we did not keep look out for a new 13.2 submission :(
That's cool! I found 7.2p1 here, https://software.opensuse.org/download.html?project=network&package=openssh (Just in case anyone stumbles upon this thread)