Overview

This article describes the vulnerability reported under CVE-2015-5600 by the NVD:

"The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list."
For more information, refer to CVE-2015-5600 Detail.

The current version of OpenSSH in Exinda 7.4.8 is OpenSSH_3.8.1p1.1.tms.1, OpenSSL 1.0.1e-fips 11 Feb 2013.

Information

This caused by OpenSSH not being upgraded to the latest version. The vulnerability is fixed from OpenSSH v7.0 and above.

OpenSSH library upgrade to v8 is expected in Exinda 7.5 release.

Additional Information

This vulnerability can be mitigated in some Linux distributions by disabling the keyboard-interactive authentication method. This can be done in Red Hat Linux by setting ChallengeResponseAuthentication to no in the /etc/ssh/sshd_config configuration file and restarting the sshd service.