Bug 1666127 (CVE-2019-6111)

Summary: CVE-2019-6111 openssh: Improper validation of object names allows malicious server to overwrite files via scp client
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dawwu, jjelen, kyoshida, mvanderw, sardella
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:51:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1666128, 1666580, 1666581    
Bug Blocks: 1665788    

Description Sam Fowler 2019-01-15 00:36:26 UTC
OpenSSH has a vulnerability in the scp client utility. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).

External Reference:


Proposed Patch:


Comment 1 Sam Fowler 2019-01-15 00:36:47 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1666128]

Comment 2 Huzaifa S. Sidhpurwala 2019-01-16 05:12:18 UTC

This is a flaw in the scp client (/usr/bin/scp) shipped as a part of openssh-clients package. The flaw essentially allows a malicious scp server to possibly overwrite arbitrary files in the scp client target directory or if recursive operation (-r) is chosen than the server can manipulate subdirectories on the client machine as well, subject to the file/directory permissions. 

To trigger this flaw, the scp client needs to either connect to a malicious scp server or connect to a MITM scp server. Connecting to a MITM server will require the client to accept the new host key, which essentially implies that either the scp server (which the client previously connected to) has changed or there is a possible MITM attempt, both of which should be investigated by the system administrator before going ahead with the connection.

Also note that, since this is a flaw in the scp utility, the SSH client is not affected.

Comment 3 Huzaifa S. Sidhpurwala 2019-01-16 05:12:20 UTC

This issue affects the scp client shipped with openssh. The SSH protocol or the SSH client is not affected. For more detailed analysis please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1666127#c2

Comment 9 Huzaifa S. Sidhpurwala 2019-07-22 10:54:44 UTC

This issue only affects the users of scp binary which is a part of openssh-clients package. Other usage of SSH protocol or other ssh clients is not affected. Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removal of openssh-clients package will make the packaged binaries like scp, ssh etc unavailable. 

Note: This flaw requires a malicious MITM scp server for exploitation. Use cases where trusted SCP servers are used are not affected by this flaw.

Comment 10 errata-xmlrpc 2019-11-05 22:06:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3702 https://access.redhat.com/errata/RHSA-2019:3702

Comment 11 Product Security DevOps Team 2019-11-06 00:51:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):