Bug 1666127 (CVE-2019-6111) - CVE-2019-6111 openssh: Improper validation of object names allows malicious server to overwrite files via scp client
Summary: CVE-2019-6111 openssh: Improper validation of object names allows malicious s...
Alias: CVE-2019-6111
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1666128 1666580 1666581
Blocks: 1665788
TreeView+ depends on / blocked
Reported: 2019-01-15 00:36 UTC by Sam Fowler
Modified: 2022-10-14 11:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-06 00:51:47 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3702 0 None None None 2019-11-05 22:06:27 UTC

Description Sam Fowler 2019-01-15 00:36:26 UTC
OpenSSH has a vulnerability in the scp client utility. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).

External Reference:


Proposed Patch:


Comment 1 Sam Fowler 2019-01-15 00:36:47 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1666128]

Comment 2 Huzaifa S. Sidhpurwala 2019-01-16 05:12:18 UTC

This is a flaw in the scp client (/usr/bin/scp) shipped as a part of openssh-clients package. The flaw essentially allows a malicious scp server to possibly overwrite arbitrary files in the scp client target directory or if recursive operation (-r) is chosen than the server can manipulate subdirectories on the client machine as well, subject to the file/directory permissions. 

To trigger this flaw, the scp client needs to either connect to a malicious scp server or connect to a MITM scp server. Connecting to a MITM server will require the client to accept the new host key, which essentially implies that either the scp server (which the client previously connected to) has changed or there is a possible MITM attempt, both of which should be investigated by the system administrator before going ahead with the connection.

Also note that, since this is a flaw in the scp utility, the SSH client is not affected.

Comment 3 Huzaifa S. Sidhpurwala 2019-01-16 05:12:20 UTC

This issue affects the scp client shipped with openssh. The SSH protocol or the SSH client is not affected. For more detailed analysis please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1666127#c2

Comment 9 Huzaifa S. Sidhpurwala 2019-07-22 10:54:44 UTC

This issue only affects the users of scp binary which is a part of openssh-clients package. Other usage of SSH protocol or other ssh clients is not affected. Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removal of openssh-clients package will make the packaged binaries like scp, ssh etc unavailable. 

Note: This flaw requires a malicious MITM scp server for exploitation. Use cases where trusted SCP servers are used are not affected by this flaw.

Comment 10 errata-xmlrpc 2019-11-05 22:06:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3702 https://access.redhat.com/errata/RHSA-2019:3702

Comment 11 Product Security DevOps Team 2019-11-06 00:51:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.