|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
|Issue||A vulnerability scan of Authentication Manager 8.1 SP1 patch 13 had the following finding:|
Exploited or Verified: VERIFIED ONLY
Impact: The version of OpenSSH running on the affected sockets allow unauthenticated attackers to make accelerated authentication attempts against the service without being disconnected after a practical number of authentication failures. Internal attackers can leverage this vulnerability to perform dictionary-based password attacks against targeted SSH accounts.
Recommendations: Update the affected service to OpenSSH 7.0 or later
|Cause||This scan finding refers to CVE-2015-5600, which has the following description:|
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
|Resolution||The fix is in the RSA Authentication Manager 8.1.1 Third-Party Patch 2.0. Be sure to follow the appropriate readme when installing the patch. Note that this patch cannot be rolled back.|
|Workaround||Temporarily disable SSH from the Operations Console (Administration > Operating System Access).|
|Notes||In the details there appears to be a contradiction, the description says this vulnerability affects OpenSSH through ver. 6.9, which is why the scan says you need OpenSSH 7.0. But in the details on the SUSE site, which the JIRA copies, it says the fix is openssh-6.2p2-0.24.1, but that is the library version not the OpenSSH version|
See SUSE's page on CVE-2015-5600 and their list of released packages:
For an RSA Authentication Manager virtual or physical appliance, this means that RSA Authentication Manager 8.1.1 Third-Party Patch 2.0 must be installed.