000033108 - RSA Authentication Manager 8.1 SP1 patch 13 shows an OpenSSH vulnerability to brute force dictionary-based password attacks (CVE-2015-5600)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Oct 26, 2016
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033108
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
IssueA vulnerability scan of Authentication Manager 8.1 SP1 patch 13 had the following finding:
Exploited or Verified:  VERIFIED ONLY
Impact:  The version of OpenSSH running on the affected sockets allow unauthenticated attackers to make accelerated authentication attempts against the service without being disconnected after a practical number of authentication failures.  Internal attackers can leverage this vulnerability to perform dictionary-based password attacks against targeted SSH accounts.  
Recommendations:  Update the affected service to OpenSSH 7.0 or later

CauseThis scan finding refers to CVE-2015-5600, which has the following description:

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
ResolutionThe fix is in the RSA Authentication Manager 8.1.1 Third-Party Patch 2.0.  Be sure to follow the appropriate readme when installing the patch.  Note that this patch cannot be rolled back.
  1. Before installing the Third-Party Patch, upgrade each appliance to Authentication Manager 8.1 SP1 patch 14 or later.
  2. Apply the Third Party Patch 2 through the Operations Console (Maintenance > Update and Rollback).
  3. On the Update & Rollback page, the default update source is your local browser. To change that setting, click Configure Update Source.
  4. On the Configure Update Sources page, specify a location for updates.  See the readme for more detail.
  5. To test the NFS or Windows share directory settings, click Test Connection. A message indicates whether the configured shared directory is available to the primary or replica instance.
  6. Click Save.
WorkaroundTemporarily disable SSH from the Operations Console (Administration > Operating System Access).
NotesIn the details there appears to be a contradiction, the description says this vulnerability affects OpenSSH through ver. 6.9, which is why the scan says you need OpenSSH 7.0. But in the details on the SUSE site, which the JIRA copies, it says the fix is openssh-6.2p2-0.24.1, but that is the library version not the OpenSSH version
See SUSE's page on CVE-2015-5600 and their list of released packages:
Product(s)Fixed package version(s)References
SUSE Linux Enterprise Desktop 12
  • openssh >= 6.6p1-29.1
  • openssh-askpass-gnome >= 6.6p1-29.1
  • openssh-helpers >= 6.6p1-29.1
SUSE Linux Enterprise Server 11 SP2-LTSS
  • openssh >= 5.1p1-41.69.1
  • openssh-askpass >= 5.1p1-41.69.1
  • openssh-askpass-gnome >= 5.1p1-41.69.4
SUSE Linux Enterprise Server 11 SP4
  • openssh >= 6.6p1-13.1
  • openssh-askpass-gnome >= 6.6p1-13.3
  • openssh-fips >= 6.6p1-13.1
  • openssh-helpers >= 6.6p1-13.1
SUSE Linux Enterprise Server 12
  • openssh >= 6.6p1-29.1
  • openssh-askpass-gnome >= 6.6p1-29.1
  • openssh-fips >= 6.6p1-29.1
  • openssh-helpers >= 6.6p1-29.1

For an RSA Authentication Manager virtual or physical appliance, this means that RSA Authentication Manager 8.1.1 Third-Party Patch 2.0 must be installed.