cbcvebase.
CVE-2019-3463
published 2019-02-06

CVE-2019-3463: Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.87%
90.9th percentile
Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.

Affected

21 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debian_gnulinux_rssh
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
pizzashackrssh
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2

Detection & IOCsextracted from sources · hover to see the quote

command--daemon
command--config
path/usr/bin/rssh
  • Monitor rsync invocations for the presence of --daemon or --config flags passed through rssh, which should not be permitted and indicate an exploitation attempt of CVE-2019-3463.
  • Alert on rssh-restricted accounts (shell set to /usr/bin/rssh) executing processes other than rsync/scp, as bypass of rssh restrictions results in arbitrary shell command execution.
  • Detect use of the 'pre-xfer exec' option in rsync daemon config files, which is the most obvious vector for arbitrary code execution when --config is passed through rssh.
  • Audit systems running rssh version 2.3.4 as this specific version is confirmed vulnerable to CVE-2019-3463, CVE-2019-3464, and CVE-2019-1000018.
  • ·The rssh bypass requires an authenticated user; exploitation is not unauthenticated. Detection should focus on authenticated sessions abusing rsync argument passing.
  • ·The exploit context in DOC 2 (Ruckus IoT Controller) involves a hard-coded SSH key for the 'vriotiotupgrade' account restricted to scp via rssh; the rssh bypass (CVE-2019-3463) is a chained risk, not the primary CVE of that advisory (CVE-2021-33216).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.