Bug 1671294 (CVE-2019-1000018)

Summary: CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fdc, huzaifas, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:46:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1671295, 1671296    
Bug Blocks:    

Description Andrej Nemec 2019-01-31 10:29:24 UTC 
The allowscp option is intended to restrict users to only being able to scp files to or from the server, and not be able to run commands on the server.

When a user runs scp on their client, an scp command is also run on the server. This runs through rssh (the restricted user’s shell), which attempts to verify the arguments are “secure.” We can control exactly which scp command is run on the server by supplying it as an argument to ssh. If rssh considers our invocation secure, it will execute that command.

References:

https://esnet-security.github.io/vulnerabilities/20190115_rssh\

Upstream issue:

https://sourceforge.net/p/rssh/mailman/message/36519118/
Comment 1 Andrej Nemec 2019-01-31 10:29:34 UTC 
Created rssh tracking bugs for this issue:

Affects: epel-all [bug 1671296]
Affects: fedora-all [bug 1671295]
Comment 2 Product Security DevOps Team 2019-06-10 10:46:52 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.