Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-6111

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

CVE
#vulnerability#ubuntu#linux#debian#red_hat#git#auth#ssh

scp client multiple vulnerabilities =================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt Overview -------- SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description ----------- Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output. Impact ------ Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output. Details ------- The discovered vulnerabilities, described in more detail below, enables the attack described here in brief. 1. The attacker controlled server or Man-in-the-Middle(*) attack drops .bash_aliases file to victim’s home directory when the victim performs scp operation from the server. The transfer of extra files is hidden by sending ANSI control sequences via stderr. For example: user@local:~$ scp user@remote:readme.txt . readme.txt 100% 494 1.6KB/s 00:00 user@local:~$ 2. Once the victim launches a new shell, the malicious commands in .bash_aliases get executed. *) Man-in-the-Middle attack does require the victim to accept the wrong host fingerprint. Vulnerabilities --------------- 1. CWE-20: scp client improper directory name validation [CVE-2018-20685] The scp client allows server to modify permissions of the target directory by using empty (“D0777 0 \n”) or dot (“D0777 0 .\n”) directory name. 2. CWE-20: scp client missing received object name validation [CVE-2019-6111] Due to the scp implementation being derived from 1983 rcp [1], the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys). The same vulnerability in WinSCP is known as CVE-2018-20684. 3. CWE-451: scp client spoofing via object name [CVE-2019-6109] Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred. 4. CWE-451: scp client spoofing via stderr [CVE-2019-6110] Due to accepting and displaying arbitrary stderr output from the scp server, a malicious server can manipulate the client output, for example to employ ANSI codes to hide additional files being transferred. Proof-of-Concept ---------------- Proof of concept malicious scp server will be released at a later date. Vulnerable versions ------------------- The following software packages have some or all vulnerabilities: ver #1 #2 #3 #4 OpenSSH scp <=7.9 x x x x PuTTY PSCP ? - - x x WinSCP scp mode <=5.13 - x - - Tectia SSH scpg3 is not affected since it exclusively uses sftp protocol. Mitigation ---------- 1. OpenSSH 1.1 Switch to sftp if possible 1.2 Apply the following patches to scp: CVE-2018-20685: https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 CVE-2019-6109: https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c CVE-2019-6111: https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc 1.3 Alternatively apply the following patch to harden scp against most server-side manipulation attempts: https://sintonen.fi/advisories/scp-name-validator.patch NOTE: This unofficial patch may cause problems if the the remote and local shells don’t agree on the way glob() pattern matching works. YMMV. 2. PuTTY 2.1 No fix is available yet 3. WinSCP 3.1. Upgrade to WinSCP 5.14 or later Similar or prior work --------------------- 1. CVE-2000-0992 - scp overwrites arbitrary files References ---------- 1. https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access Issue tracking -------------- Arch Linux https://security.archlinux.org/CVE-2018-20685 Debian GNU/Linux https://security-tracker.debian.org/tracker/CVE-2019-6111 https://security-tracker.debian.org/tracker/CVE-2018-20685 https://security-tracker.debian.org/tracker/CVE-2019-6109 https://security-tracker.debian.org/tracker/CVE-2019-6110 Gentoo Linux https://bugs.gentoo.org/show_bug.cgi?id=CVE-2019-6111 https://bugs.gentoo.org/show_bug.cgi?id=CVE-2019-6109 https://bugs.gentoo.org/show_bug.cgi?id=CVE-2019-6110 Red Hat Linux https://access.redhat.com/security/cve/cve-2019-6111 https://access.redhat.com/security/cve/cve-2018-20685 https://access.redhat.com/security/cve/cve-2019-6109 https://access.redhat.com/security/cve/cve-2019-6110 SUSE Linux https://www.suse.com/security/cve/CVE-2019-6111 https://www.suse.com/security/cve/CVE-2018-20685 https://www.suse.com/security/cve/CVE-2019-6109 https://www.suse.com/security/cve/CVE-2019-6110 Ubuntu https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6111.html https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20685.html https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6109.html https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6110.html WinSCP https://www.cvedetails.com/cve/CVE-2018-20684 PuTTY PSCP https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pscp-unsanitised-server-output.html Credits ------- These vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation. Timeline -------- 2018.08.08 initial discovery of vulnerabilities #1 and #2 2018.08.09 reported vulnerabilities #1 and #2 to OpenSSH 2018.08.10 OpenSSH acknowledged the vulnerabilities 2018.08.14 discovered & reported vulnerability #3 to OpenSSH 2018.08.15 discovered & reported vulnerability #4 to OpenSSH 2018.08.30 reported PSCP vulnerabilities (#3 and #4) to PuTTY developers 2018.08.31 reported WinSCP vulnerability (#2) to WinSCP developers 2018.09.04 WinSCP developers reported the vulnerability #2 fixed 2018.11.12 requested a status update from OpenSSH 2018.11.16 OpenSSH fixed vulnerability #1 2019.01.07 requested a status update from OpenSSH 2019.01.08 requested CVE assignments from MITRE 2019.01.10 received CVE assignments from MITRE 2019.01.11 public disclosure of the advisory 2019.01.14 added a warning about the potential issues caused by the patch 2019.01.15 added issue tracking section (Arch, Debian, Red Hat, SUSE, Ubuntu) 2019.01.15 fixed patch for BROKEN_ONE_BYTE_DIRENT_D_NAME 2019.01.17 updated Ubuntu issue tracking, added Gentoo issue tracking 2019.02.01 added PuTTY PSCP issue tracking 2019.02.09 added links to official patches to mitigation section 2019.02.26 fixed the unofficial patch with “dir/.” src syntax

Related news

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

CVE-2022-29154: security - CVE-2022-29154: Rsync client-side arbitrary file write vulnerability.

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2019-2999: Oracle Critical Patch Update Advisory - October 2019

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...

CVE-2019-2999: Oracle Critical Patch Update Advisory - October 2019

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...

CVE-2019-2999: Oracle Critical Patch Update Advisory - October 2019

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...

CVE-2019-2628: Oracle Critical Patch Update Advisory - April 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-20685: upstream: disallow empty incoming filename or ones that refer to the · openssh/openssh-portable@6010c03

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907