I accidentally checked my backported patch for Mageia 4 into SVN yesterday too, but I don't know yet if it's correct.  I'll get a better idea when I see what Debian 7 and/or Ubuntu 10.04LTS do.

Whiteboard: (none) => MGA4TOO

PoC:
$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' user@mageia-machine

where mageia-machine is the hostname or IP address of the Mageia machine that you are testing for this vulnerability, and user is the name of a user account on that machine.  As long as keyboard authentication is enabled (the default) and you're not using an SSH key for that account, it will prompt for a password by simply saying "Password: ".  The correct behavior is that it only gives that prompt three times for incorrect passwords (before switching to user@mageia-machine for two more tries and then exiting), but with this vulnerability, the "Password: " prompt will continue for 10000 (or 30000, I'm not sure) tries.

I've verified the vulnerability on Mageia 4 and Mageia 5, and verified the fix on Mageia 4.

Patched packages uploaded for Mageia 4 and Mageia 5.

Advisory:
========================

Updated openssh package fixes security vulnerabilities:

The OpenSSH server, when keyboard-interactive challenge response
authentication is enabled and PAM is being used (the default configuration
in Mageia), can be tricked into allowing more password attempts than the
MaxAuthTries setting would normally allow in one connection, which can aid
an attacker in brute-force password guessing (CVE-2015-5600).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600
http://openwall.com/lists/oss-security/2015/07/23/4
========================

Updated packages in core/updates_testing:
========================
openssh-6.2p2-3.4.mga4
openssh-clients-6.2p2-3.4.mga4
openssh-server-6.2p2-3.4.mga4
openssh-askpass-common-6.2p2-3.4.mga4
openssh-askpass-6.2p2-3.4.mga4
openssh-askpass-gnome-6.2p2-3.4.mga4
openssh-ldap-6.2p2-3.4.mga4
openssh-6.6p1-5.3.mga5
openssh-clients-6.6p1-5.3.mga5
openssh-server-6.6p1-5.3.mga5
openssh-askpass-common-6.6p1-5.3.mga5
openssh-askpass-6.6p1-5.3.mga5
openssh-askpass-gnome-6.6p1-5.3.mga5
openssh-ldap-6.6p1-5.3.mga5

from SRPMS:
openssh-6.2p2-3.4.mga4.src.rpm
openssh-6.6p1-5.3.mga5.src.rpm

Assignee: guillomovitch => qa-bugs
Whiteboard: MGA4TOO => MGA4TOO has_procedure MGA4-32-OK

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.3.mga4.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.2p2-3.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.2p2-3.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.2p2-3.4.mga4.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.1.mga5.i586 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.3.mga5.i586 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
openssh openssh-clients openssh-server

default install of openssh openssh-clients & openssh-server

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.1.mga5.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

install openssh openssh-clients & openssh-server from updates_testing

[root@localhost wilcal]# urpmi openssh
Package openssh-6.6p1-5.3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-clients
Package openssh-clients-6.6p1-5.3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi openssh-server
Package openssh-server-6.6p1-5.3.mga5.x86_64 is already installed

Putty can connect to localhost
Putty can connect to an external ssh server on the LAN
Putty on another M5 system on the LAN can connect back to the Vbox client under test
"ssh-keygen -t rsa" command generates a public and private key

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

Looks good. What say ye David?

William, it doesn't look like you tested the PoC I gave.

In VirtualBox, M4, KDE, 32-bit

Vbox client under test is at: 192.168.1.142  user: wilcal
Putty can ssh into that Vbox client

In user terminal on another M5 system on the LAN:
ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' wilcal@192.168.1.142

results in the following:
[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000' wilcal@192.168.1.142
> 

Is perl installed by default into Mageia? Or are there some other perl apps that
need to be installed? Goes like this if I enter something:

> test
> test
> test
> test
> test
> test

I think you're missing a matching backtick after 10000, instead of a quote.

(In reply to Samuel VERSCHELDE from comment #9)

> I think you're missing a matching backtick after 10000, instead of a quote.

ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000` wilcal@192.168.1.142

[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000` wilcal@192.168.1.142
bash: command substitution: line 1: unexpected EOF while looking for matching `''
bash: command substitution: line 2: syntax error: unexpected end of file
command-line line 0: Missing argument.

Sorry you gotta hold my hand here. What exactly should the command be? Thanks

I screwed up the command when I pasted it.

ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.142

Sorry for the confusion.

(In reply to David Walser from comment #11)

> ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.142
> 
> Sorry for the confusion.

In VirtualBox, M4, KDE, 64-bit

From another M5 system on the LAN in a terminal entering three
incorrect passwords:

[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.142
wilcal@192.168.1.142's password: 
Permission denied, please try again.
wilcal@192.168.1.142's password: 
Permission denied, please try again.
wilcal@192.168.1.142's password: 
Permission denied (publickey,password,keyboard-interactive).
[wilcal@localhost ~]$ 

Cool. If I give it the correct password it works fine. Also I'm ping'n a
fixed Vbox client so therefore we can consider this a fixed client?

In VirtualBox, M5, KDE, 32-bit

[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.143
Warning: Permanently added '192.168.1.143' (RSA) to the list of known hosts.
Password: 
Password: 
Password: 
wilcal@192.168.1.143's password: 
Permission denied, please try again.
wilcal@192.168.1.143's password: 
Permission denied, please try again.
wilcal@192.168.1.143's password: 
Received disconnect from 192.168.1.143: 2: Too many authentication failures for wilcal
[wilcal@localhost ~]$

Using the correct password gets me in 1st try.

In VirtualBox, M5, KDE, 64-bit

[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.141
Warning: Permanently added '192.168.1.141' (RSA) to the list of known hosts.
Password: 
Password: 
Password: 
wilcal@192.168.1.141's password: 
Permission denied, please try again.
wilcal@192.168.1.141's password: 
Permission denied, please try again.
wilcal@192.168.1.141's password: 
Received disconnect from 192.168.1.141: 2: Too many authentication failures for wilcal
[wilcal@localhost ~]$

Using the correct password gets me in 1st try.

In VirtualBox, M5, KDE, 64-bit ( unfixed )

[wilcal@localhost ~]$ ssh -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` wilcal@192.168.1.141
Password: 
Password: 
Password: 
Password: 
Password: 
Password: 
Password: 
Password: 
Password: 
Password: 
Password:
and on and on and on and on

Correct, it'll keep saying "Password: " over and over again for unfixed, and it'll only do that threetimes before moving on to "wilcal@192.168.1.141's password: " if it's fixed.  It looks like you got the correct results.

This things good to go. We also got some good
procedures documented here. Many thanks all.
Testing complete for mga4/5 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0295.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED