Bug 1666127 (CVE-2019-6111) - CVE-2019-6111 openssh: Improper validation of object names allows malicious server to overwrite files via scp client
Summary: CVE-2019-6111 openssh: Improper validation of object names allows malicious s...
Keywords:
Status: NEW
Alias: CVE-2019-6111
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1666581 1666128 1666580
Blocks: 1665788
TreeView+ depends on / blocked
 
Reported: 2019-01-15 00:36 UTC by Sam Fowler
Modified: 2019-09-29 15:05 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2019-01-15 00:36:26 UTC
OpenSSH has a vulnerability in the scp client utility. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).


External Reference:

https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt


Proposed Patch:

https://sintonen.fi/advisories/scp-name-validator.patch

Comment 1 Sam Fowler 2019-01-15 00:36:47 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1666128]

Comment 2 Huzaifa S. Sidhpurwala 2019-01-16 05:12:18 UTC
Analysis:

This is a flaw in the scp client (/usr/bin/scp) shipped as a part of openssh-clients package. The flaw essentially allows a malicious scp server to possibly overwrite arbitrary files in the scp client target directory or if recursive operation (-r) is chosen than the server can manipulate subdirectories on the client machine as well, subject to the file/directory permissions. 

To trigger this flaw, the scp client needs to either connect to a malicious scp server or connect to a MITM scp server. Connecting to a MITM server will require the client to accept the new host key, which essentially implies that either the scp server (which the client previously connected to) has changed or there is a possible MITM attempt, both of which should be investigated by the system administrator before going ahead with the connection.

Also note that, since this is a flaw in the scp utility, the SSH client is not affected.

Comment 3 Huzaifa S. Sidhpurwala 2019-01-16 05:12:20 UTC
Statement:

This issue affects the scp client shipped with openssh. The SSH protocol or the SSH client is not affected. For more detailed analysis please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1666127#c2

Comment 9 Huzaifa S. Sidhpurwala 2019-07-22 10:54:44 UTC
Mitigation:

This issue only affects the users of scp binary which is a part of openssh-clients package. Other usage of SSH protocol or other ssh clients is not affected. Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removal of openssh-clients package will make the packaged binaries like scp, ssh etc unavailable. 

Note: This flaw requires a malicious MITM scp server for exploitation. Use cases where trusted SCP servers are used are not affected by this flaw.


Note You need to log in before you can comment on or make changes to this bug.