A simple but highly critical vulnerability recently disclosed in the most widely used OpenSSH software allows attackers to try thousands of password login attempts per connection in a short period.





perform thousands of authentication requests remotely. OpenSSH is the most popular software widely used for secure remote access to Linux-based systems. Generally, the software allows 3 to 6 Password login attempts before closing a connection, but a new vulnerability lets attackers





keyboard-interactive authentication enabled, including FreeBSD Linux, can be exploited to carry out the brute force attack on OpenSSH protocol, a security researcher with online alias KingCope explained in a OpenSSH servers with, including FreeBSD Linux, can be exploited to carry out the brute force attack on OpenSSH protocol, a security researcher with online aliasexplained in a blog post

Exploit for the Vulnerability RELEASED





Hackers could widely exploit the vulnerability because the keyboard-interactive authentication is by default enabled on most of the systems.





Researcher has also released a proof-of-concept exploit code, which is just a command, as follows:

ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost

This simple command effectively allows up to 10,000 password attempts within two minutes of login grace time.





"The crucial part is that if the attacker requests 10,000 keyboard-interactive devices OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded," KingCope said.





However, depending on the connection and the victim's Linux machine, two minutes of 'grace period' and thousands of login attempts are enough to achieve successful login by using dictionary attack with a word-list of most commonly used passwords.





The vulnerability is present in the latest version of OpenSSH, which is Version 6.9.





How to Mitigate the Attack?





Administrators are advised to take following precautions until OpenSSH releases an official patch to address the issue: