High severity8.1NVD Advisory· Published Aug 3, 2015· Updated May 27, 2026

CVE-2015-5600

Description

OpenSSH through 6.9 fails to limit keyboard-interactive devices, enabling brute-force attacks and CPU exhaustion by repeating pam entries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenSSH through 6.9 fails to limit keyboard-interactive devices, enabling brute-force attacks and CPU exhaustion by repeating pam entries.

Vulnerability

The vulnerability resides in the kbdint_next_device function in auth2-chall.c of sshd. OpenSSH through version 6.9 does not properly restrict the processing of keyboard-interactive devices, allowing a client to specify a duplicative list of devices (e.g., pam,pam,...). This flaw enables bypassing the MaxAuthTries limit and can be triggered by using the -oKbdInteractiveDevices option with many repeated entries [1][3].

Exploitation

An attacker with network access to an SSH server can use a modified client to send an excessive list of keyboard-interactive devices. Each device triggers a separate authentication attempt, allowing numerous password guesses within a single connection without being limited by MaxAuthTries. For example, running ssh -l user -oKbdInteractiveDevices=$(perl -e 'print "pam," x 10000') target and then entering different passwords for each prompt [4]. This can also cause high CPU consumption on the server, leading to denial of service [1].

Impact

Successful exploitation allows an attacker to perform brute-force password guessing attacks far more efficiently, bypassing the configured maximum authentication attempts. This increases the likelihood of guessing a valid password. Additionally, the attack can cause significant CPU resource exhaustion, resulting in a denial of service condition [1][4].

Mitigation

The vulnerability is fixed in OpenSSH 7.0 (released August 11, 2015) and later versions [3]. Red Hat Enterprise Linux 6 received a backported fix in RHSA-2016-0466 [1]. Arista EOS fixed it in releases 4.12.11M, 4.13.13M, 4.14.10M, and 4.15.2F [4]. Users unable to upgrade should restrict SSH access to trusted networks and enforce strong password policies [4].

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

OpenBSD/OpenSSH2 versions
cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*range: <=6.9
- (no CPE)range: <=6.9
osv-coords22 versions
pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATA pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP3 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATA pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP3 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012
< 6.2p2-0.21.3+ 21 more
- (no CPE)range: < 6.2p2-0.21.3
- (no CPE)range: < 6.6p1-13.3
- (no CPE)range: < 6.6p1-29.1
- (no CPE)range: < 5.1p1-41.69.4
- (no CPE)range: < 6.2p2-0.21.3
- (no CPE)range: < 6.2p2-0.21.3
- (no CPE)range: < 6.6p1-13.3
- (no CPE)range: < 6.6p1-29.1
- (no CPE)range: < 6.2p2-0.21.3
- (no CPE)range: < 6.6p1-13.3
- (no CPE)range: < 6.6p1-29.1
- (no CPE)range: < 6.2p2-0.21.1
- (no CPE)range: < 6.6p1-13.1
- (no CPE)range: < 6.6p1-29.1
- (no CPE)range: < 5.1p1-41.69.1
- (no CPE)range: < 6.2p2-0.21.1
- (no CPE)range: < 6.2p2-0.21.1
- (no CPE)range: < 6.6p1-13.1
- (no CPE)range: < 6.6p1-29.1
- (no CPE)range: < 6.2p2-0.21.1
- (no CPE)range: < 6.6p1-13.1
- (no CPE)range: < 6.6p1-29.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing restriction on the number of keyboard-interactive devices a client can request allows the server to loop through an attacker-supplied list, bypassing MaxAuthTries."

Attack vector

An attacker connects via SSH and sets the `-oKbdInteractiveDevices` option to a long, duplicative list (e.g., `pam,pam,...` repeated thousands of times). The server iterates through each device and prompts for a password, allowing the attacker to submit a different password for each prompt. This bypasses the `MaxAuthTries` limit (default 6) and enables up to tens of thousands of password guesses within the login grace period (default 2 minutes) [ref_id=2]. The attack is especially effective against FreeBSD systems, which enable keyboard-interactive authentication by default [ref_id=2].

Affected code

The vulnerability resides in `auth2-chall.c` in the `kbdint_next_device` function of sshd (OpenSSH through 6.9). The server does not restrict the number of keyboard-interactive devices a client can request in a single connection [ref_id=1].

What the fix does

The patch (auth2-chall.c r1.42→r1.43) prevents the server from processing duplicate keyboard-interactive device names. With this change, even a request like `-oKbdInteractiveDevices=pam,pam` is no longer honored — the server will not repeat the same device [ref_id=1]. This closes the brute-force amplification vector by ensuring the client cannot force the server to loop through an arbitrarily long list of devices.

Preconditions

configThe target SSH server must have keyboard-interactive authentication enabled (default on FreeBSD).
networkThe attacker must be able to initiate an SSH connection to the server.
inputThe attacker must supply a crafted `-oKbdInteractiveDevices` option with a long, duplicative device list.

Reproduction

Execute: `ssh -lusername -oKbdInteractiveDevices=\`perl -e 'print "pam," x 10000'\` targethost`. This requests 10,000 keyboard-interactive devices, causing the server to prompt for a password for each one, allowing up to 10,000 password guesses within the login grace time [ref_id=2].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.063
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000