CVE-2019-6111

OpenSSH SCP Client - Write Arbitrary Files

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Se ha descubierto un problema en OpenSSH 7.9. Debido a que la implementación de SCP deriva del rcp 1983, el servidor elige qué archivos/directorios se están enviando al cliente. Sin embargo, el cliente scp solo realiza la validación superficial del nombre de objeto devuelto (solo se evitan los ataques de salto de directorio). Un servidor scp malicioso (o atacante Man-in-the-Middle) puede sobrescribir archivos arbitrarios en el directorio objetivo del cliente scp. Si se realiza la operación recursiva (-r), el servidor también puede manipular subdirectorios (por ejemplo, para sobrescribir el archivo .ssh/authorized_keys)

SCP clients have an issue where additional files can be copied over without your knowledge.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-01-10 CVE Reserved
2019-01-11 First Exploit
2019-01-16 CVE Published
2024-06-23 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (26)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2019/04/18/1	Mailing List
http://www.openwall.com/lists/oss-security/2022/08/02/1	Mailing List
http://www.securityfocus.com/bid/106741	Broken Link
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf	Third Party Advisory
https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c	Release Notes
https://lists.apache.org/thread.html/c45d9bc90700354b58fb7455962873c44229841880dcb64842fa7d23%40%3Cdev.mina.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/c7301cab36a86825359e1b725fc40304d1df56dc6d107c1fe885148b%40%3Cdev.mina.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/d540139359de999b0f1c87d05b715be4d7d4bec771e1ae55153c5c7a%40%3Cdev.mina.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/e47597433b351d6e01a5d68d610b4ba195743def9730e49561e8cf3f%40%3Cdev.mina.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html	Mailing List
https://security.netapp.com/advisory/ntap-20190213-0001	Third Party Advisory
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/46516	2019-01-11
https://www.exploit-db.com/exploits/46193	2024-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=1677794	2024-08-04

URL	Date	SRC
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3702	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G	2023-11-07
https://security.gentoo.org/glsa/201903-16	2023-11-07
https://usn.ubuntu.com/3885-1	2023-11-07
https://usn.ubuntu.com/3885-2	2023-11-07
https://www.debian.org/security/2019/dsa-4387	2023-11-07
https://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.asc	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-6111	2019-11-05
https://bugzilla.redhat.com/show_bug.cgi?id=1666127	2019-11-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fujitsu Search vendor "Fujitsu"	M10-1 Firmware Search vendor "Fujitsu" for product "M10-1 Firmware"	< xcp2361 Search vendor "Fujitsu" for product "M10-1 Firmware" and version " < xcp2361"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-1 Search vendor "Fujitsu" for product "M10-1"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-4 Firmware Search vendor "Fujitsu" for product "M10-4 Firmware"	< xcp2361 Search vendor "Fujitsu" for product "M10-4 Firmware" and version " < xcp2361"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-4 Search vendor "Fujitsu" for product "M10-4"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-4s Firmware Search vendor "Fujitsu" for product "M10-4s Firmware"	< xcp2361 Search vendor "Fujitsu" for product "M10-4s Firmware" and version " < xcp2361"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-4s Search vendor "Fujitsu" for product "M10-4s"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M12-1 Firmware Search vendor "Fujitsu" for product "M12-1 Firmware"	< xcp2361 Search vendor "Fujitsu" for product "M12-1 Firmware" and version " < xcp2361"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M12-1 Search vendor "Fujitsu" for product "M12-1"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M12-2 Firmware Search vendor "Fujitsu" for product "M12-2 Firmware"	< xcp2361 Search vendor "Fujitsu" for product "M12-2 Firmware" and version " < xcp2361"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M12-2 Search vendor "Fujitsu" for product "M12-2"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M12-2s Firmware Search vendor "Fujitsu" for product "M12-2s Firmware"	< xcp2361 Search vendor "Fujitsu" for product "M12-2s Firmware" and version " < xcp2361"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M12-2s Search vendor "Fujitsu" for product "M12-2s"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-1 Firmware Search vendor "Fujitsu" for product "M10-1 Firmware"	< xcp3070 Search vendor "Fujitsu" for product "M10-1 Firmware" and version " < xcp3070"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-1 Search vendor "Fujitsu" for product "M10-1"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-4 Firmware Search vendor "Fujitsu" for product "M10-4 Firmware"	< xcp3070 Search vendor "Fujitsu" for product "M10-4 Firmware" and version " < xcp3070"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-4 Search vendor "Fujitsu" for product "M10-4"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-4s Firmware Search vendor "Fujitsu" for product "M10-4s Firmware"	< xcp3070 Search vendor "Fujitsu" for product "M10-4s Firmware" and version " < xcp3070"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-4s Search vendor "Fujitsu" for product "M10-4s"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M12-1 Firmware Search vendor "Fujitsu" for product "M12-1 Firmware"	< xcp3070 Search vendor "Fujitsu" for product "M12-1 Firmware" and version " < xcp3070"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M12-1 Search vendor "Fujitsu" for product "M12-1"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M12-2 Firmware Search vendor "Fujitsu" for product "M12-2 Firmware"	< xcp3070 Search vendor "Fujitsu" for product "M12-2 Firmware" and version " < xcp3070"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M12-2 Search vendor "Fujitsu" for product "M12-2"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M12-2s Firmware Search vendor "Fujitsu" for product "M12-2s Firmware"	< xcp3070 Search vendor "Fujitsu" for product "M12-2s Firmware" and version " < xcp3070"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M12-2s Search vendor "Fujitsu" for product "M12-2s"	-	-	Safe
Siemens Search vendor "Siemens"	Scalance X204rna Firmware Search vendor "Siemens" for product "Scalance X204rna Firmware"	< 3.2.7 Search vendor "Siemens" for product "Scalance X204rna Firmware" and version " < 3.2.7"	-	Affected	in	Siemens Search vendor "Siemens"	Scalance X204rna Search vendor "Siemens" for product "Scalance X204rna"	-	-	Safe
Siemens Search vendor "Siemens"	Scalance X204rna Eec Firmware Search vendor "Siemens" for product "Scalance X204rna Eec Firmware"	< 3.2.7 Search vendor "Siemens" for product "Scalance X204rna Eec Firmware" and version " < 3.2.7"	-	Affected	in	Siemens Search vendor "Siemens"	Scalance X204rna Eec Search vendor "Siemens" for product "Scalance X204rna Eec"	-	-	Safe
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				<= 7.9 Search vendor "Openbsd" for product "Openssh" and version " <= 7.9"		-		Affected
Winscp Search vendor "Winscp"		Winscp Search vendor "Winscp" for product "Winscp"				<= 5.1.3 Search vendor "Winscp" for product "Winscp" and version " <= 5.1.3"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.1 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.1"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.2 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.4 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.6 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				8.2 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				8.4 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				8.6 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				8.2 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				8.4 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				8.6 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.6"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Apache Search vendor "Apache"		Mina Sshd Search vendor "Apache" for product "Mina Sshd"				2.2.0 Search vendor "Apache" for product "Mina Sshd" and version "2.2.0"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				< 12.0 Search vendor "Freebsd" for product "Freebsd" and version " < 12.0"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				12.0 Search vendor "Freebsd" for product "Freebsd" and version "12.0"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				12.0 Search vendor "Freebsd" for product "Freebsd" and version "12.0"		p1		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				12.0 Search vendor "Freebsd" for product "Freebsd" and version "12.0"		p2		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				12.0 Search vendor "Freebsd" for product "Freebsd" and version "12.0"		p3		Affected