OpenSSH bug enables attackers to brute-force their way into poorly configured servers

A vulnerability in the popular secure remote access software OpenSSH can be exploited by attackers to try to brute-force their way into the connection and access Internet-facing computers and/or servers.

Unearthed by a security researcher who goes by the alias Kingcope, the bug allows an attacker to bypass the authentication attempt limits.

“The OpenSSH server normally wouldn’t allow successive authentications that exceed the MaxAuthTries setting in sshd_config, with this vulnerability the allowed login retries can be extended limited only by the LoginGraceTime setting, that can be more than 10000 tries (depends on the network speed), and even more for local attacks,” the researcher explained in his request to the MITRE CVE Numbering Authority, in which he asked for a CVE number to be assigned to the vulnerability.

“Technically this vulnerability affects OpenSSH. It can be found with FreeBSD installations because these use the keyboard-interactive authentication mechanism (that is the one affected) in combination with pam. I haven’t tested skey/bsd auth. To note that this vulnerability looks pretty old, a test against FreeBSD 6.2 (2007 release date) showed it vulnerable. Additionally there is no delay between the authentication retries, but this is another issue that makes this vulnerability more effective.”

Kingcope has also published exploit code for the bug.

Admins who have configured their servers not to allow keyboard-interactive logins don’t need to worry about this vulnerability.

“It’s one of those bugs where the well-configured servers won’t be affected at all, but the poorly configured servers that were already at risk due to low-throughput brute-force attacks are now at even greater risk,” Duo Security CTO Jon Oberheide commented for Ars Technica.




Share this