First published: Sun Aug 07 2016(Updated: )
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openssh | <7.3 | 7.3 |
OpenSSH | <=7.2 | |
Fedoraproject Fedora | =24 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-6515 has been classified as a denial of service vulnerability that can lead to high CPU consumption due to unrestricted password length in OpenSSH.
To fix CVE-2016-6515, upgrade OpenSSH to version 7.3 or higher.
CVE-2016-6515 affects OpenSSH versions prior to 7.3.
The impact of CVE-2016-6515 is that it allows remote attackers to exhaust the CPU resources of a vulnerable system.
Yes, CVE-2016-6515 is exploitable remotely through password authentication.