Bug 1666124 (CVE-2019-6110)
| Summary: | CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apmukher, dbelyavs, jjelen, mdogra, mvanderw, sardella, sfowler |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in OpenSSH that could allow a remote attacker to conduct spoofing attacks. This is caused by the acceptance and display of arbitrary stderr output from the SCP server, where a man-in-the-middle attacker could exploit this vulnerability to spoof the SCP client output, misleading the user into thinking the operation was successful or reporting false information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-20 19:27:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1666125, 1666578, 1666579 | ||
| Bug Blocks: | 1665788 | ||
|
Description
Sam Fowler
2019-01-15 00:31:59 UTC
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1666125] Analysis: This is a flaw in the scp client (/usr/bin/scp) shipped as a part of openssh-clients package. The flaw exists in the way scp clients accept and display arbitrary stderr output from the scp server. Similar to CVE-2019-6109 this flaw allows a malicious scp server to manipulate the output seen by the client (i.e. the progress display when the files are being transferred) by allowing the server to push ANSI characters to the client. Though this vulnerability has no impact on its on, it can be used with other flaws to hide additional files being transferred by the malicious client. To trigger this flaw, the scp client needs to either connect to a malicious scp server or connect to a MITM scp server. Connecting to a MITM server will require the client to accept the new host key, which essentially implies that either the scp server (which the client previously connected to) has changed or there is a possible MITM attempt, both of which should be investigated by the system administrator before going ahead with the connection. Also note that, since this is a flaw in the scp utility, the SSH client is not affected. Statement: This issue affects the scp client shipped with openssh. The SSH protocol or the SSH client is not affected. For more detailed analysis please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1666124#c2 Mitigation: This issue only affects the users of scp binary which is a part of openssh-clients package. Other usage of SSH protocol or other ssh clients is not affected. Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removing the openssh-clients package will make binaries like scp and ssh etc unavailable on that system. Note: To exploit this flaw, the victim needs to connect to a malicious SSH server or MITM (Man-in-the-middle) the scp connection, both of which can be detected by the system administrator via a change in the host key of the SSH server. Further, if connections via scp are made to only trusted SSH servers, then those use-cases are not vulnerable to this security flaw. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-6110 |