all things security
Showing 1 - 9 of 9 RSS Feed

CVE-2015-5600

Status Candidate

Overview

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.

Related Files

HP Security Bulletin HPSBMU03607 1
Posted Jun 2, 2016
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU03607 1 - Multiple potential security vulnerabilities have been identified in HPE BladeSystem c-Class Virtual Connect (VC) firmware. These vulnerabilities include: The SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "POODLE", which could be exploited remotely resulting in disclosure of information. The Cross-protocol Attack on TLS using SSLv2 also known as "DROWN", which could be exploited remotely resulting in disclosure of information. Additional OpenSSL and OpenSSH vulnerabilities which could be remotely exploited resulting in Denial of Service (DoS), disclosure of information, or Cross-site Request Forgery (CSRF). Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability, protocol, csrf
advisories | CVE-2008-5161, CVE-2014-3566, CVE-2015-0705, CVE-2015-1789, CVE-2015-1791, CVE-2015-3194, CVE-2015-5600, CVE-2016-0799, CVE-2016-0800, CVE-2016-2842
MD5 | 6c857b91c2ccec55f2970decf648feab
HP Security Bulletin HPSBST03599 1
Posted May 12, 2016
Authored by HP | Site hp.com

HP Security Bulletin HPSBST03599 1 - A vulnerability in OpenSSH has been addressed by HPE 3PAR OS. The vulnerabily could be exploited remotely resulting in Denial of Service (DoS) or access restriction bypass. Revision 1 of this advisory.

tags | advisory, denial of service
advisories | CVE-2015-5600
MD5 | 573b8e0bc1bffaea0206f4a694d0f161
Red Hat Security Advisory 2016-0466-01
Posted Mar 22, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-0466-01 - OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.

tags | advisory, remote, protocol
systems | linux, redhat, openbsd
advisories | CVE-2015-5600, CVE-2016-3115
MD5 | e44b5828174b738b958cd4b364fac26f
HP Security Bulletin HPSBHF03539 1
Posted Jan 29, 2016
Authored by HP | Site hp.com

HP Security Bulletin HPSBHF03539 1 - Vulnerabilities in OpenSSH and ISC BIND were addressed by HPE VCX. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS). Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability
advisories | CVE-2015-5477, CVE-2015-5600, CVE-2015-5722
MD5 | 6b1d5c4e2723750b4c85c318fa20f427
Gentoo Linux Security Advisory 201512-04
Posted Dec 21, 2015
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201512-4 - Multiple vulnerabilities have been found in OpenSSH, the worst of which could lead to arbitrary code execution, or cause a Denial of Service condition. Versions less than 7.1_p1-r2 are affected.

tags | advisory, denial of service, arbitrary, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2015-5352, CVE-2015-5600, CVE-2015-6563, CVE-2015-6564, CVE-2015-6565
MD5 | b47a12dd6c6720d40e8d0a89de7dcbda
Red Hat Security Advisory 2015-2088-06
Posted Nov 20, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-2088-06 - OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges.

tags | advisory, arbitrary, root, protocol
systems | linux, redhat, openbsd
advisories | CVE-2015-5600, CVE-2015-6563, CVE-2015-6564
MD5 | ad8e3bf7c82c570e9806fc41b7c33270
Ubuntu Security Notice USN-2710-2
Posted Aug 18, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2710-2 - USN-2710-1 fixed vulnerabilities in OpenSSH. The upstream fix for CVE-2015-5600 caused a regression resulting in random authentication failures in non-default configurations. This update fixes the problem.

tags | advisory, vulnerability
systems | linux, ubuntu
advisories | CVE-2015-5352, CVE-2015-5600
MD5 | cecf91fdb57ae5dfb1dedd05ca1ef7a2
Ubuntu Security Notice USN-2710-1
Posted Aug 14, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2710-1 - Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to perform user impersonation. Moritz Jodeit discovered that OpenSSH incorrectly handled context memory when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to bypass authentication or possibly execute arbitrary code. Various other issues were also addressed.

tags | advisory, remote, arbitrary
systems | linux, ubuntu
advisories | CVE-2015-5352, CVE-2015-5600
MD5 | 5931e8b73140d4c8ead634b5d1916597
FreeBSD Security Advisory - OpenSSH Record Check
Posted Jul 28, 2015
Site security.freebsd.org

FreeBSD Security Advisory - OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.

tags | advisory
systems | freebsd
advisories | CVE-2014-2653, CVE-2015-5600
MD5 | 8cb4a72bf773c38e284608edf83d9522
Page 1 of 1
Back1Next

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    2 Files
  • 23
    Oct 23rd
    10 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close