Bug 1671294 (CVE-2019-1000018) - CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution
Summary: CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code e...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2019-1000018
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1671295 1671296
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-31 10:29 UTC by Andrej Nemec
Modified: 2020-04-27 16:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:46:52 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2019-01-31 10:29:24 UTC
The allowscp option is intended to restrict users to only being able to scp files to or from the server, and not be able to run commands on the server.

When a user runs scp on their client, an scp command is also run on the server. This runs through rssh (the restricted user’s shell), which attempts to verify the arguments are “secure.” We can control exactly which scp command is run on the server by supplying it as an argument to ssh. If rssh considers our invocation secure, it will execute that command.

References:

https://esnet-security.github.io/vulnerabilities/20190115_rssh\

Upstream issue:

https://sourceforge.net/p/rssh/mailman/message/36519118/

Comment 1 Andrej Nemec 2019-01-31 10:29:34 UTC
Created rssh tracking bugs for this issue:

Affects: epel-all [bug 1671296]
Affects: fedora-all [bug 1671295]

Comment 2 Product Security DevOps Team 2019-06-10 10:46:52 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.