OpenSSH Flaw exposes servers to brute-force attacks

A new critical vulnerability was discovered in the widely used OpenSSH software, hackers exploiting this flaw can run brute-force attacks against server performing thousands of authentication requests remotely. The vulnerability affects the latest version of OpenSSH (Version 6.9), the MITRE coded the flaw as CVE-2015-5600. OpenSSH is a software used to encrypt data traffic from clients to server, avoiding eavesdropping, and other attacks. It also provides several authentication methods and secure tunneling capabilities. Generally, the OpenSSH software allows 3 to 6 Password login attempts before closing a connection, but the flaw discovered by the experts allows hacker to bypass this limitation and run brute-force attacks. This is the case of OpenSSH servers having keyboard-interactive authentication enabled, which can be exploited to carry out the brute force attack on OpenSSH protocol. Unfortunately, the keyboard-interactive authentication is enabled by default on many systems. The vulnerability has been discovered by a researcher using the pseudonymous KingCope which explained that many systems are affected by the flaw including FreeBSD. In order to exploit the bug, an attacker can execute the following command: ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost The above command allows up to 10000 password entries within two minutes limited by the login grace time setting. “The crucial part is that if the attacker requests 10000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.” continues the expert. Two minutes of ‘grace period’ and thousands of login attempts are enough to successfully run a brute-force attack by using a common dictionary. The next release of the OpenSSH software, OpenSSH 7.0, will fix the problem including a patch. The new release is expected to be released in a few weeks. In the meantime, below a few suggestion to mitigate the risks Limit access to SSH by using a firewall. Disable password authentication for the root account. Use intrusion detection systems (IDS) to mitigate brute force attacks. Use strong passwords. Use a cryptographic key pair that is at least 2,048 Bits in length. Reduce the grace period to 20 or 30 seconds. Use applications to controls and limit failed login attempts.