CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
94.3%
The default configuration of OpenSSH through 6.1 enforces a fixed time
limit between establishing a TCP connection and completing a login, which
makes it easier for remote attackers to cause a denial of service
(connection-slot exhaustion) by periodically making many new TCP
connections.
Author | Note |
---|---|
jdstrand | this is a long-standing problem with any server that limits connections. This requires conffile changes. |
mdeslaur | Upstream has changed the default MaxStartups to 10:30:100 to mitigate this issue. Sysadmins can change the equivalent config locally. we will not be fixing this issue in Ubuntu 12.04 LTS, in environments where this is a concern, we suggest settings the MaxStartups value to 10:30:100 in the sshd_config file |