Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Jul 2015 00:27:17 -0400 (EDT)
Subject: Re: CVE Request for OpenSSH vulnerability - authentication limits bypass

Hash: SHA1

As far as we can tell, the essence of the vulnerability is that the
client shouldn't be able to specify an arbitrarily large number of
KbdInteractiveDevices and be entitled to have the server cooperate.
Use CVE-2015-5600.

Here are additional notes in case anyone was expecting two CVE IDs.

The patch at:

seems to suggest a very similar decision. With this change, the server
no longer cooperates even with:


and this makes sense because, if a client is behaving normally, using
pam a second time would typically just waste server resources, and
would not increase usability from the client's perspective. The only
exception we've thought of is a server that sometimes makes
false-negative access-control decisions, e.g., either it is
intentionally designed to be inconsistent, or uses an intermittently
available hardware authentication device. In the latter case, maybe
users were actually supposed to do something like:


and the patch would have to be revised to support that.

More importantly, we don't think the issue should be characterized as
a "MaxAuthTries bypass." If there are several different
keyboard-interactive methods supported by the server, and there's a
use case in which the client user can type in a single string and have
the client program attempt all of the keyboard-interactive methods,
then the server arguably shouldn't block any if MaxAuthTries is
reached. From the perspective of the client user, it's only one try.

Example: MaxAuthTries has its default value of six, but MIT-KIT has
suddenly released six new major Kerberos protocol versions, and the
legitimate user enters:


We don't think it's necessarily correct to block use of the krb11
protocol because it's the seventh one.

This might not be a completely valid example. The essential point is
that we don't feel there's a remaining vulnerability in which a
MaxAuthTries value of N is supposed to prevent a command line with N+1
different supported elements in the KbdInteractiveDevices list. There
is no CVE ID tied directly to the concept of a MaxAuthTries bypass.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.