Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
2.6
CVSSv2

CVE-2018-20685

Published: 10/01/2019 Updated: 23/02/2023
CVSS v2 Base Score: 2.6 | Impact Score: 2.9 | Exploitability Score: 4.9
CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6
VMScore: 231
Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N
Subscribe to Openbsd

Vulnerability Summary

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openbsd openssh

winscp winscp

netapp cloud backup -

netapp element software -

netapp storage automation store -

netapp ontap select deploy -

netapp steelstore cloud integrated storage -

debian debian linux 8.0

debian debian linux 9.0

canonical ubuntu linux 16.04

canonical ubuntu linux 14.04

canonical ubuntu linux 18.04

canonical ubuntu linux 18.10

redhat enterprise linux 7.0

redhat enterprise linux 8.0

redhat enterprise linux eus 8.1

redhat enterprise linux eus 8.2

redhat enterprise linux server tus 8.2

redhat enterprise linux server aus 8.2

redhat enterprise linux server tus 8.4

redhat enterprise linux eus 8.4

redhat enterprise linux server aus 8.4

redhat enterprise linux server aus 8.6

redhat enterprise linux server tus 8.6

redhat enterprise linux eus 8.6

oracle solaris 10

fujitsu m10-1_firmware

fujitsu m10-4_firmware

fujitsu m10-4s_firmware

fujitsu m12-1_firmware

fujitsu m12-2_firmware

fujitsu m12-2s_firmware

siemens scalance_x204rna_firmware

siemens scalance_x204rna_eec_firmware

Vendor Advisories

Red Hat: Moderate: openssh security, bug fix, and enhancement update
Synopsis Moderate: openssh security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for openssh is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sy ...
Ubuntu Security Notice: openssh vulnerabilities
Several security issues were fixed in OpenSSH ...
Debian CVElist Bug Report Logs: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
Debian Bug report logs - #923486 CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Mike Gabriel <sunweaver@debianorg> Date: Thu, 28 Feb 2019 20:57:02 ...
Debian CVElist Bug Report Logs: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
Debian Bug report logs - #919101 openssh: CVE-2018-20685: scpc in the scp client allows remote SSH servers to bypass intended access restrictions Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sa ...
Debian CVElist Bug Report Logs: netkit-rsh: CVE-2019-7282 CVE-2019-7283
Debian Bug report logs - #920486 netkit-rsh: CVE-2019-7282 CVE-2019-7283 Package: rsh-client; Maintainer for rsh-client is Alberto Gonzalez Iniesta <agi@inittaborg>; Source for rsh-client is src:netkit-rsh (PTS, buildd, popcon) Reported by: Hiroyuki YAMAMORI <h-yamamo@db3so-netnejp> Date: Sat, 26 Jan 2019 05:24:0 ...
Debian CVElist Bug Report Logs: openssh-client: scp can send arbitrary control characters / escape sequences to the terminal (CVE-2019-6109)
Debian Bug report logs - #793412 openssh-client: scp can send arbitrary control characters / escape sequences to the terminal (CVE-2019-6109) Package: openssh-client; Maintainer for openssh-client is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Source for openssh-client is src:openssh (PTS, buildd, popcon) Repor ...
Amazon Linux AMI: ALAS-2019-1313
An issue was discovered in OpenSSH 79 Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, eg, by using ANSI control codes to hide additional files being transferred This affects refresh_progress_meter() in progressmeterc ...
Amazon Linux 2: ALAS2-2019-1216
An issue was discovered in OpenSSH Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented) A malicious scp server (or Man-in-The-Middle attacker ...
Arch Linux Issues:
In OpenSSH 79, scpc in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of or an empty filename ...

ICS Advisories

Siemens SCALANCE X-200RNA Switch Devices

Github Repositories

https://github.com/h4xrOx/Direct-Admin-Vulnerability-Disclosure

Linux Restricted Shell Breakout & privilege escalation on Direct Admin using OpenSSH, CPAN shell and FileZilla.

Linux Restricted Shell Breakout & privilege escalation on Direct Admin using OpenSSH, CPAN shell and FileZilla Leveraging CPAN shell to change installation directory: o conf commit makepl_perl INSTALL_BASE='/home/nelaar/perl' o conf commit mbuildpl_perl --install_base='/home/nelaar/perl' o conf commit o conf commit makepl_PERL5LIB INSTALL_BASE='

Recent Articles

Oh, SSH, IT please see this: Malicious servers can fsck with your PC's files during scp slurps
The Register • Shaun Nichols in San Francisco • 15 Jan 2019

Data transfer tools caught not checking what exactly they're downloading

A decades-old oversight in the design of Secure Copy Protocol (SCP) tools can be exploited by malicious servers to unexpectedly alter victims' files on their client machines, it has emerged. F-Secure's Harry Sintonen discovered a set of five CVE-listed vulnerabilities, which can be abused by evil servers to overwrite arbitrary files on a computer connected via SCP. If you use a vulnerable version of OpenSSH's scp, PuTTY's PSCP, or WinSCP, to securely transfer files from a remote server, that ser...

Read more...

References

CWE-863https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198&f=hhttp://www.securityfocus.com/bid/106531https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txthttps://usn.ubuntu.com/3885-1/https://www.debian.org/security/2019/dsa-4387https://security.netapp.com/advisory/ntap-20190215-0001/https://security.gentoo.org/glsa/201903-16https://lists.debian.org/debian-lts-announce/2019/03/msg00030.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://access.redhat.com/errata/RHSA-2019:3702https://security.gentoo.org/glsa/202007-53https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://access.redhat.com/errata/RHSA-2019:3702https://usn.ubuntu.com/3885-1/https://nvd.nist.govhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook