A newly disclosed bug in widely-used OpenSSH software allows attackers to make thousands of password guesses in a short space of time.
The bug has existed in OpenSSH since 2007, according to Ars Technica, and means that attackers have much longer than usual to brute-force a password. Normally OpenSSH allows just three or six login attempts before closing a connection, but the new exploit allows hackers a period of two minutes to try as many passwords as they can.
The bug was revealed in a blog post by a researcher calling themselves KingCope. They wrote: “A simple way to exploit the bug is to execute this command: ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost This will effectively allow up to 10,000 password entries limited by the login grace time setting.”
KingCope continued: “The crucial part is that if the attacker requests 10,000 keyboard-interactive devices OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.”
The Register reports that the bug affects the latest version of OpenSSH, but that installations using crypto keys exclusively for authentication are not vulnerable as the flaw relies on keyboard-entered passwords. Admins running fail2ban or pam-shield should, in theory, be safe since failed login attempts can be detected and the brute-forcing IP addresses banned. Reducing the grace period to 20 or 30 seconds is another mitigation.