Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.8
CVSSv2

CVE-2019-6111

Published: 31/01/2019 Updated: 07/11/2023
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 591
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P
Subscribe to Openbsd

Vulnerability Summary

An issue exists in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openbsd openssh

winscp winscp

canonical ubuntu linux 16.04

canonical ubuntu linux 14.04

canonical ubuntu linux 18.04

canonical ubuntu linux 18.10

debian debian linux 8.0

debian debian linux 9.0

redhat enterprise linux 7.0

redhat enterprise linux 8.0

redhat enterprise linux eus 8.1

redhat enterprise linux eus 8.2

redhat enterprise linux server tus 8.2

redhat enterprise linux server aus 8.2

redhat enterprise linux server tus 8.4

redhat enterprise linux eus 8.4

redhat enterprise linux server aus 8.4

redhat enterprise linux server aus 8.6

redhat enterprise linux server tus 8.6

redhat enterprise linux eus 8.6

fedoraproject fedora 30

apache mina sshd 2.2.0

freebsd freebsd 12.0

freebsd freebsd

fujitsu m10-1_firmware

fujitsu m10-4_firmware

fujitsu m10-4s_firmware

fujitsu m12-1_firmware

fujitsu m12-2_firmware

fujitsu m12-2s_firmware

siemens scalance_x204rna_firmware

siemens scalance_x204rna_eec_firmware

Vendor Advisories

Red Hat: Moderate: openssh security, bug fix, and enhancement update
Synopsis Moderate: openssh security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for openssh is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sy ...
Ubuntu Security Notice: openssh vulnerability
One of the fixes in USN-3885-1 was incomplete ...
Ubuntu Security Notice: openssh vulnerabilities
Several security issues were fixed in OpenSSH ...
Debian CVElist Bug Report Logs: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
Debian Bug report logs - #923486 CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Mike Gabriel <sunweaver@debianorg> Date: Thu, 28 Feb 2019 20:57:02 ...
Debian CVElist Bug Report Logs: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
Debian Bug report logs - #919101 openssh: CVE-2018-20685: scpc in the scp client allows remote SSH servers to bypass intended access restrictions Package: src:openssh; Maintainer for src:openssh is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sa ...
Debian CVElist Bug Report Logs: netkit-rsh: CVE-2019-7282 CVE-2019-7283
Debian Bug report logs - #920486 netkit-rsh: CVE-2019-7282 CVE-2019-7283 Package: rsh-client; Maintainer for rsh-client is Alberto Gonzalez Iniesta <agi@inittaborg>; Source for rsh-client is src:netkit-rsh (PTS, buildd, popcon) Reported by: Hiroyuki YAMAMORI <h-yamamo@db3so-netnejp> Date: Sat, 26 Jan 2019 05:24:0 ...
Debian CVElist Bug Report Logs: openssh-client: scp can send arbitrary control characters / escape sequences to the terminal (CVE-2019-6109)
Debian Bug report logs - #793412 openssh-client: scp can send arbitrary control characters / escape sequences to the terminal (CVE-2019-6109) Package: openssh-client; Maintainer for openssh-client is Debian OpenSSH Maintainers <debian-ssh@listsdebianorg>; Source for openssh-client is src:openssh (PTS, buildd, popcon) Repor ...
Amazon Linux AMI: ALAS-2019-1313
An issue was discovered in OpenSSH 79 Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, eg, by using ANSI control codes to hide additional files being transferred This affects refresh_progress_meter() in progressmeterc ...
Amazon Linux 2: ALAS2-2019-1216
An issue was discovered in OpenSSH Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented) A malicious scp server (or Man-in-The-Middle attacker ...
Arch Linux Issues:
An issue was discovered in OpenSSH 79 Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented) A malicious scp server (or Man-in-The-Middle atta ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing
Siemens SCALANCE X-200RNA Switch Devices

Exploits

Exploit DB: SSHtranger Things SCP Client File Issue
SCP clients have an issue where additional files can be copied over without your knowledge ...
Exploit DB: SCP Client - Multiple Vulnerabilities (SSHtranger Things)
# Exploit Title: SSHtranger Things # Date: 2019-01-17 # Exploit Author: Mark E Haase <mhaase@hyperiongraycom> # Vendor Homepage: wwwopensshcom/ # Software Link: [download link if available] # Version: OpenSSH 76p1 # Tested on: Ubuntu 18041 LTS # CVE : CVE-2019-6111, CVE-2019-6110 ''' Title: SSHtranger Things Author: Mar ...
Exploit DB: OpenSSH SCP Client - Write Arbitrary Files
''' Title: SSHtranger Things Author: Mark E Haase <mhaase@hyperiongraycom> Homepage: wwwhyperiongraycom Date: 2019-01-17 CVE: CVE-2019-6111, CVE-2019-6110 Advisory: sintonenfi/advisories/scp-client-multiple-vulnerabilitiestxt Tested on: Ubuntu 18041 LTS, OpenSSH client 76p1 We have nicknamed this ...

Github Repositories

https://github.com/h4xrOx/Direct-Admin-Vulnerability-Disclosure

Linux Restricted Shell Breakout & privilege escalation on Direct Admin using OpenSSH, CPAN shell and FileZilla.

Linux Restricted Shell Breakout & privilege escalation on Direct Admin using OpenSSH, CPAN shell and FileZilla Leveraging CPAN shell to change installation directory: o conf commit makepl_perl INSTALL_BASE='/home/nelaar/perl' o conf commit mbuildpl_perl --install_base='/home/nelaar/perl' o conf commit o conf commit makepl_PERL5LIB INSTALL_BASE='

https://github.com/TommasoBilotta/public

I've published these rpms to help all sysadmin (for CentoOS/Linux 7x, and RedHat 7x) to solve this CVE: nvdnistgov/vuln/detail/CVE-2019-6111 In my env "CentOS Linux release 792009 (Core)" after installation i've to run this command: chmod 600 /etc/ssh/*_key to start sshd The dir OpenSSH-RPM contain a yum repo and all packages are signed with m

https://github.com/AntonVanAssche/CSV-NPE2223

School project for the course "Cybersecurity & Virtualisation" (CSV) at Ghent University of Applied Sciences and Arts.

CSV-NPE2223 This repository contains files related to a school project for the course "Cybersecurity & Virtualisation" (CSV) at Ghent University of Applied Sciences and Arts Description The objective of this project was to identify and exploit a vulnerability within a software package that can be installed on a Debian virtual machine (VM) The first step invo

Recent Articles

Oh, SSH, IT please see this: Malicious servers can fsck with your PC's files during scp slurps
The Register • Shaun Nichols in San Francisco • 15 Jan 2019

Data transfer tools caught not checking what exactly they're downloading

A decades-old oversight in the design of Secure Copy Protocol (SCP) tools can be exploited by malicious servers to unexpectedly alter victims' files on their client machines, it has emerged. F-Secure's Harry Sintonen discovered a set of five CVE-listed vulnerabilities, which can be abused by evil servers to overwrite arbitrary files on a computer connected via SCP. If you use a vulnerable version of OpenSSH's scp, PuTTY's PSCP, or WinSCP, to securely transfer files from a remote server, that ser...

Read more...

References

CWE-22https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txthttps://cvsweb.openbsd.org/src/usr.bin/ssh/scp.chttps://www.exploit-db.com/exploits/46193/http://www.securityfocus.com/bid/106741https://usn.ubuntu.com/3885-1/https://www.debian.org/security/2019/dsa-4387https://security.netapp.com/advisory/ntap-20190213-0001/https://bugzilla.redhat.com/show_bug.cgi?id=1677794https://usn.ubuntu.com/3885-2/https://security.gentoo.org/glsa/201903-16https://lists.debian.org/debian-lts-announce/2019/03/msg00030.htmlhttp://www.openwall.com/lists/oss-security/2019/04/18/1http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.htmlhttps://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.aschttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://access.redhat.com/errata/RHSA-2019:3702http://www.openwall.com/lists/oss-security/2022/08/02/1https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/https://lists.apache.org/thread.html/c45d9bc90700354b58fb7455962873c44229841880dcb64842fa7d23%40%3Cdev.mina.apache.org%3Ehttps://lists.apache.org/thread.html/c7301cab36a86825359e1b725fc40304d1df56dc6d107c1fe885148b%40%3Cdev.mina.apache.org%3Ehttps://lists.apache.org/thread.html/e47597433b351d6e01a5d68d610b4ba195743def9730e49561e8cf3f%40%3Cdev.mina.apache.org%3Ehttps://lists.apache.org/thread.html/d540139359de999b0f1c87d05b715be4d7d4bec771e1ae55153c5c7a%40%3Cdev.mina.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2019:3702https://nvd.nist.govhttps://usn.ubuntu.com/3885-2/https://www.exploit-db.com/exploits/46193https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook