FreeBSD < 10.3-RELEASE-p21 / 11.0 < 11.0-RELEASE-p12 / 11.1 < 11.1-RELEASE-p1 OpenSSH Password Length DoS (FreeBSD-SA-17:06.openssh)
High Nessus Plugin ID 102917
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionThe version of the FreeBSD kernel running on the remote host is prior to 10.3-RELEASE-p21, 11.0 prior to 11.0-RELEASE-p12, or 11.1 prior to 11.1-RELEASE-p1. It, therefore, affected by a flaw in built-in password authentication in OpenSSH. An unauthenticated, remote attacker can exploit this issue by sending very long passwords when PasswordAuthentication is enabled by the system administrator, resulting in a denial of service condition.
Note that this issue only affects hosts with PasswordAuthentication enabled in /etc/ssh/sshd_config (the default FreeBSD configuration).
You may workaround this issue by disabling PasswordAuthentication and restarting sshd.
SolutionUpgrade to FreeBSD version 10.3-RELEASE-p21 / 11.0-RELEASE-p12 / 11.1-RELEASE-p1 or later. Alternatively, apply the workaround referenced in the advisory to disable PasswordAuthentication.