CVE-2019-3463
published 2019-02-06CVE-2019-3463: Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.87%
90.9th percentile
Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian_gnu | linux_rssh | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pizzashack | rssh | — | — |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor rsync invocations for the presence of --daemon or --config flags passed through rssh, which should not be permitted and indicate an exploitation attempt of CVE-2019-3463. ↗
- →Alert on rssh-restricted accounts (shell set to /usr/bin/rssh) executing processes other than rsync/scp, as bypass of rssh restrictions results in arbitrary shell command execution. ↗
- →Detect use of the 'pre-xfer exec' option in rsync daemon config files, which is the most obvious vector for arbitrary code execution when --config is passed through rssh. ↗
- →Audit systems running rssh version 2.3.4 as this specific version is confirmed vulnerable to CVE-2019-3463, CVE-2019-3464, and CVE-2019-1000018. ↗
- ·The rssh bypass requires an authenticated user; exploitation is not unauthenticated. Detection should focus on authenticated sessions abusing rsync argument passing. ↗
- ·The exploit context in DOC 2 (Ruckus IoT Controller) involves a hard-coded SSH key for the 'vriotiotupgrade' account restricted to scp via rssh; the rssh bypass (CVE-2019-3463) is a chained risk, not the primary CVE of that advisory (CVE-2021-33216). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vx65-qfv7-jcf4: Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to p
ghsa_unreviewed·2022-05-13
CVE-2019-3463 [CRITICAL] CWE-88 GHSA-vx65-qfv7-jcf4: Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to p
Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
OSV
CVE-2019-3463: Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to p
osv·2019-02-06·CVSS 9.8
CVE-2019-3463 [CRITICAL] CVE-2019-3463: Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to p
Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
Ubuntu
rssh vulnerabilities
vendor_ubuntu·2019-04-11
CVE-2019-1000018 rssh vulnerabilities
Title: rssh vulnerabilities
Summary: rssh could be made to run arbitrary commands if it received specially crafted
input.
It was discovered that rssh incorrectly handled certain command-line arguments
and environment variables. An authenticated user could bypass rssh's command
restrictions, allowing an attacker to run arbitrary commands.
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
Bugzilla
CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution [fedora-all]
bugzilla·2019-02-04·CVSS 9.8
CVE-2019-3463 [CRITICAL] CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution [fedora-all]
CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution
bugzilla·2019-02-04·CVSS 9.8
CVE-2019-3463 [CRITICAL] CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution
CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution
A flaw was found in rssh. The client could send the --daemon and --config options to the server and they would be passed through by rssh. Not only does this allow the client to start a daemon listening on the normal rsync port, which is probably not desirable, but various options set in the daemon configuration file specified with --config allow arbitrary code execution. (The most obvious is pre-xfer exec.)
References:
https://sourceforge.net/p/rssh/mailman/message/36536555/
Discussion:
Created rssh tracking bugs for this issue:
Affects: epel-all [bug 1672381]
Affects: fedora-all [bug 1672380]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a co
Bugzilla
CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution [epel-all]
bugzilla·2019-02-04·CVSS 9.8
CVE-2019-3463 [CRITICAL] CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution [epel-all]
CVE-2019-3463 rssh: rsync bypass resulting in arbitrary code execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versio
http://seclists.org/fulldisclosure/2021/May/78http://www.securityfocus.com/bid/106839https://lists.debian.org/debian-lts-announce/2019/02/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/https://security.gentoo.org/glsa/202007-29https://tracker.debian.org/news/1026713/accepted-rssh-234-5deb9u2-source-amd64-into-stable-embargoed-stable/https://usn.ubuntu.com/3946-1/https://www.debian.org/security/2019/dsa-4382http://seclists.org/fulldisclosure/2021/May/78http://www.securityfocus.com/bid/106839https://lists.debian.org/debian-lts-announce/2019/02/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/https://security.gentoo.org/glsa/202007-29https://tracker.debian.org/news/1026713/accepted-rssh-234-5deb9u2-source-amd64-into-stable-embargoed-stable/https://usn.ubuntu.com/3946-1/https://www.debian.org/security/2019/dsa-4382
2019-02-06
Published