OpenSSH MaxAuthTries vulnerability in ESXi6.0

paulxedos · ‎10-26-2015

The version of OpenSSH on vmware esxi 6.0 seems to be open to the MaxAuthTries vulnerability which is currently being picked up by our security scanners

"The remote SSH server is affected by a security bypass vulnerability due to a flaw in the keyboard-interactive authentication mechanisms.

The kbdint_next_device() function in auth2-chall.c improperly restricts the processing of keyboard-interactive devices within a single connection. A remote attacher can exploit this, via a crafted keyboard-interactive 'devices' string, to bypass the normal restriction of 6 login attempts (MaxAuthTries), resulting in the ability to conduct a brute-force attack or cause a denial of service condition.

Other than switching off sshd which I would prefer not to do as it is very useful are there any plans to upgrade to OpenSSH 7( the proposed solution for this issue)?

Thanks

Paul

sbavisetti · ‎12-09-2015

We have noticed same security hole in 5.5 Update3a as well. I am thinking to open a support ticket with VMWARE.

rheger · ‎12-22-2015

Thats a vulnerability in 5.5 U3b as well. From what I had read openssh v7.0 was supposed to be the package that was installed in v6.0 but alas it is not. Is there a command to list which version of openssh is installed?

Thanks

deadwing · ‎02-05-2016

Telnet to the host on port 22. That's a quick and easy way.

deadwing · ‎02-08-2016

On my ESXi 5.0 hosts, I modified my sshd_config (in /etc/ssh) with the following lines:

ChallengeResponseAuthentication no

PasswordAuthentication yes

and this vulnerability is gone. The "PasswordAuthentication" directive was already there but was set to "no".

I haven't seen any issues with doing this so far. Hopefully this helps.

All

OpenSSH MaxAuthTries vulnerability in ESXi6.0