ID

VAR-201901-0011


CVE

CVE-2019-6110


TITLE

OpenSSH Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001595

DESCRIPTION

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. OpenSSH Contains an access control vulnerability.Information may be obtained and information may be altered. OpenSSH is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to bypass certain security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. OpenSSH 7.9 version is vulnerable; other versions may also be affected. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Multiple vulnerabilities Date: March 20, 2019 Bugs: #675520, #675522 ID: 201903-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenSSH, the worst of which could allow a remote attacker to gain unauthorized access. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.9_p1-r4" References ========== [ 1 ] CVE-2018-20685 https://nvd.nist.gov/vuln/detail/CVE-2018-20685 [ 2 ] CVE-2019-6109 https://nvd.nist.gov/vuln/detail/CVE-2019-6109 [ 3 ] CVE-2019-6110 https://nvd.nist.gov/vuln/detail/CVE-2019-6110 [ 4 ] CVE-2019-6111 https://nvd.nist.gov/vuln/detail/CVE-2019-6111 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201903-16 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . scp client multiple vulnerabilities =================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt Overview -------- SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description ----------- Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output. Impact ------ Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output. Details ------- The discovered vulnerabilities, described in more detail below, enables the attack described here in brief. 1. The attacker controlled server or Man-in-the-Middle(*) attack drops .bash_aliases file to victim's home directory when the victim performs scp operation from the server. The transfer of extra files is hidden by sending ANSI control sequences via stderr. For example: user@local:~$ scp user@remote:readme.txt . readme.txt 100% 494 1.6KB/s 00:00 user@local:~$ 2. Once the victim launches a new shell, the malicious commands in .bash_aliases get executed. *) Man-in-the-Middle attack does require the victim to accept the wrong host fingerprint. Vulnerabilities --------------- 1. CWE-20: scp client improper directory name validation [CVE-2018-20685] The scp client allows server to modify permissions of the target directory by using empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name. 2. CWE-20: scp client missing received object name validation [CVE-2019-6111] Due to the scp implementation being derived from 1983 rcp [1], the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys). The same vulnerability in WinSCP is known as CVE-2018-20684. 3. 4. Proof-of-Concept ---------------- Proof of concept malicious scp server will be released at a later date. Vulnerable versions ------------------- The following software packages have some or all vulnerabilities: ver #1 #2 #3 #4 OpenSSH scp <=7.9 x x x x PuTTY PSCP ? - - x x WinSCP scp mode <=5.13 - x - - Tectia SSH scpg3 is not affected since it exclusively uses sftp protocol. Mitigation ---------- 1. OpenSSH 1.1 Switch to sftp if possible 1.2 Alternatively apply the following patch to harden scp against most server-side manipulation attempts: https://sintonen.fi/advisories/scp-name-validator.patch NOTE: This patch may cause problems if the the remote and local shells don't agree on the way glob() pattern matching works. YMMV. 2. PuTTY 2.1 No fix is available yet 3. WinSCP 3.1. Upgrade to WinSCP 5.14 or later Similar or prior work --------------------- 1. CVE-2000-0992 - scp overwrites arbitrary files References ---------- 1. https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access Credits ------- The vulnerability was discovered by Harry Sintonen / F-Secure Corporation. Timeline -------- 2018.08.08 initial discovery of vulnerabilities #1 and #2 2018.08.09 reported vulnerabilities #1 and #2 to OpenSSH 2018.08.10 OpenSSH acknowledged the vulnerabilities 2018.08.14 discovered & reported vulnerability #3 to OpenSSH 2018.08.15 discovered & reported vulnerability #4 to OpenSSH 2018.08.30 reported PSCP vulnerabilities (#3 and #4) to PuTTY developers 2018.08.31 reported WinSCP vulnerability (#2) to WinSCP developers 2018.09.04 WinSCP developers reported the vulnerability #2 fixed 2018.11.12 requested a status update from OpenSSH 2018.11.16 OpenSSH fixed vulnerability #1 2019.01.07 requested a status update from OpenSSH 2019.01.08 requested CVE assignments from MITRE 2019.01.10 received CVE assignments from MITRE 2019.01.11 public disclosure of the advisory 2019.01.14 added a warning about the potential issues caused by the patch

Trust: 2.16

sources: NVD: CVE-2019-6110 // JVNDB: JVNDB-2019-001595 // BID: 106836 // VULMON: CVE-2019-6110 // PACKETSTORM: 152154 // PACKETSTORM: 151175

AFFECTED PRODUCTS

vendor:winscpmodel:winscpscope:lteversion:5.13

Trust: 1.0

vendor:siemensmodel:scalance x204rnascope:ltversion:3.2.7

Trust: 1.0

vendor:netappmodel:element softwarescope:eqversion: -

Trust: 1.0

vendor:netappmodel:storage automation storescope:eqversion: -

Trust: 1.0

vendor:openbsdmodel:opensshscope:lteversion:7.9

Trust: 1.0

vendor:siemensmodel:scalance x204rna eecscope:ltversion:3.2.7

Trust: 1.0

vendor:netappmodel:ontap select deployscope:eqversion: -

Trust: 1.0

vendor:netappmodel:element softwarescope: - version: -

Trust: 0.8

vendor:netappmodel:ontap select deploy administration utilityscope: - version: -

Trust: 0.8

vendor:netappmodel:storage automation storescope: - version: -

Trust: 0.8

vendor:openbsdmodel:opensshscope:eqversion:7.9

Trust: 0.8

vendor:winscpmodel:winscpscope: - version: -

Trust: 0.8

vendor:susemodel:linux enterprise server 12-sp2scope: - version: -

Trust: 0.3

vendor:susemodel:linux enterprise server 12-sp1scope: - version: -

Trust: 0.3

vendor:susemodel:linux enterprise server sp3scope:eqversion:12

Trust: 0.3

vendor:susemodel:linux enterprise server gascope:eqversion:12

Trust: 0.3

vendor:susemodel:linux enterprise server sp4scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise server sp3 ltssscope:eqversion:11

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:7

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linuxscope:eqversion:5

Trust: 0.3

vendor:opensshmodel:opensshscope:eqversion:7.9

Trust: 0.3

vendor:f5model:traffix sdcscope:eqversion:5.1

Trust: 0.3

vendor:f5model:traffix sdcscope:eqversion:5.0

Trust: 0.3

vendor:f5model:traffix sdcscope:eqversion:4.4

Trust: 0.3

sources: BID: 106836 // JVNDB: JVNDB-2019-001595 // NVD: CVE-2019-6110

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6110
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-6110
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201901-468
value: MEDIUM

Trust: 0.6

VULMON: CVE-2019-6110
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-6110
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2019-6110
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2019-6110
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2019-6110 // JVNDB: JVNDB-2019-001595 // CNNVD: CNNVD-201901-468 // NVD: CVE-2019-6110

PROBLEMTYPE DATA

problemtype:CWE-838

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: JVNDB: JVNDB-2019-001595 // NVD: CVE-2019-6110

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 152154 // CNNVD: CNNVD-201901-468

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201901-468

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001595

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2019-6110

PATCH

title:NTAP-20190213-0001url:https://security.netapp.com/advisory/ntap-20190213-0001/

Trust: 0.8

title:CVS log for src/usr.bin/ssh/progressmeter.curl:https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c

Trust: 0.8

title:CVS log for src/usr.bin/ssh/scp.curl:https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

Trust: 0.8

title:Top Pageurl:https://winscp.net/eng/index.php

Trust: 0.8

title:OpenSSH Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=88612

Trust: 0.6

title:The Registerurl:https://www.theregister.co.uk/2019/01/15/scp_vulnerability/

Trust: 0.2

title:Debian CVElist Bug Report Logs: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possibleurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=74b791ca4fdf54c27d2b50ef6845ef8e

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM DataPower Gateway is affected by a message spoofing vulnerability (CVE-2019-6110)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=2211d00f1dec75d45567fcf2f195085b

Trust: 0.1

title:Debian CVElist Bug Report Logs: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictionsurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=8394bb17731a99ef76b185cbc70acfa3

Trust: 0.1

title:IBM: IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111) Security Bulletinurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=50a54c2fb43b489f64442dcf4f25bc3b

Trust: 0.1

title:IBM: Security Bulletin: IBM Cloud Pak for Security is vulnerable to using components with known vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=11f5d971f7d860c9a65bb387cd7c4b76

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2019-6110

Trust: 0.1

title: - url:https://github.com/h4xrOx/Direct-Admin-Vulnerability-Disclosure

Trust: 0.1

title:DC-4-Vulnhub-Walkthroughurl:https://github.com/vshaliii/DC-4-Vulnhub-Walkthrough

Trust: 0.1

title:nmapurl:https://github.com/devairdarolt/nmap

Trust: 0.1

title:iot-cvesurl:https://github.com/InesMartins31/iot-cves

Trust: 0.1

title:Funbox2-rookieurl:https://github.com/vaishali1998/Funbox2-rookie

Trust: 0.1

title:Basic-Pentesting-2-Vulnhub-Walkthroughurl:https://github.com/vshaliii/Basic-Pentesting-2-Vulnhub-Walkthrough

Trust: 0.1

title:Basic-Pentesting-2url:https://github.com/vshaliii/Basic-Pentesting-2

Trust: 0.1

sources: VULMON: CVE-2019-6110 // JVNDB: JVNDB-2019-001595 // CNNVD: CNNVD-201901-468

EXTERNAL IDS

db:NVDid:CVE-2019-6110

Trust: 3.0

db:EXPLOIT-DBid:46193

Trust: 1.7

db:SIEMENSid:SSA-412672

Trust: 1.7

db:JVNDBid:JVNDB-2019-001595

Trust: 0.8

db:PACKETSTORMid:152154

Trust: 0.7

db:AUSCERTid:ESB-2019.1633

Trust: 0.6

db:AUSCERTid:ESB-2019.0346.3

Trust: 0.6

db:AUSCERTid:ESB-2019.0346.2

Trust: 0.6

db:AUSCERTid:ESB-2019.2671

Trust: 0.6

db:EXPLOIT-DBid:46516

Trust: 0.6

db:CNNVDid:CNNVD-201901-468

Trust: 0.6

db:BIDid:106836

Trust: 0.3

db:ICS CERTid:ICSA-22-349-21

Trust: 0.1

db:VULMONid:CVE-2019-6110

Trust: 0.1

db:PACKETSTORMid:151175

Trust: 0.1

sources: VULMON: CVE-2019-6110 // BID: 106836 // JVNDB: JVNDB-2019-001595 // PACKETSTORM: 152154 // PACKETSTORM: 151175 // CNNVD: CNNVD-201901-468 // NVD: CVE-2019-6110

REFERENCES

url:https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Trust: 2.1

url:https://security.gentoo.org/glsa/201903-16

Trust: 1.8

url:https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

Trust: 1.7

url:https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c

Trust: 1.7

url:https://www.exploit-db.com/exploits/46193/

Trust: 1.7

url:https://security.netapp.com/advisory/ntap-20190213-0001/

Trust: 1.7

url:https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-6110

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6110

Trust: 0.8

url:http://www.ibm.com/support/docview.wss?uid=ibm10872060

Trust: 0.6

url:https://packetstormsecurity.com/files/152154/gentoo-linux-security-advisory-201903-16.html

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10872060

Trust: 0.6

url:https://www.exploit-db.com/exploits/46516

Trust: 0.6

url:https://www.auscert.org.au/bulletins/80574

Trust: 0.6

url:https://www.ibm.com/support/pages/node/1143460

Trust: 0.6

url:https://www.ibm.com/support/docview.wss?uid=ibm10960177

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2671/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.0346.2/

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10883886

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.0346.3/

Trust: 0.6

url:http://www.openssh.org/

Trust: 0.3

url:https://support.f5.com/csp/article/k42531048

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-6110

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-6111

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-6109

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-20685

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/838.html

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=59543

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.exploit-db.com/exploits/46193

Trust: 0.1

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-20684

Trust: 0.1

url:https://sintonen.fi/advisories/scp-name-validator.patch

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2000-0992

Trust: 0.1

url:https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access

Trust: 0.1

sources: VULMON: CVE-2019-6110 // BID: 106836 // JVNDB: JVNDB-2019-001595 // PACKETSTORM: 152154 // PACKETSTORM: 151175 // CNNVD: CNNVD-201901-468 // NVD: CVE-2019-6110

CREDITS

Harry Sintonen,Gentoo

Trust: 0.6

sources: CNNVD: CNNVD-201901-468

SOURCES

db:VULMONid:CVE-2019-6110
db:BIDid:106836
db:JVNDBid:JVNDB-2019-001595
db:PACKETSTORMid:152154
db:PACKETSTORMid:151175
db:CNNVDid:CNNVD-201901-468
db:NVDid:CVE-2019-6110

LAST UPDATE DATE

2024-08-14T12:24:04.889000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2019-6110date:2023-02-23T00:00:00
db:BIDid:106836date:2018-11-16T00:00:00
db:JVNDBid:JVNDB-2019-001595date:2019-03-15T00:00:00
db:CNNVDid:CNNVD-201901-468date:2022-12-14T00:00:00
db:NVDid:CVE-2019-6110date:2023-02-23T23:29:26.993

SOURCES RELEASE DATE

db:VULMONid:CVE-2019-6110date:2019-01-31T00:00:00
db:BIDid:106836date:2018-11-16T00:00:00
db:JVNDBid:JVNDB-2019-001595date:2019-03-15T00:00:00
db:PACKETSTORMid:152154date:2019-03-20T16:09:02
db:PACKETSTORMid:151175date:2019-01-16T15:04:39
db:CNNVDid:CNNVD-201901-468date:2019-01-15T00:00:00
db:NVDid:CVE-2019-6110date:2019-01-31T18:29:00.807