cbcvebase.
CVE-2019-3464
published 2019-02-06

CVE-2019-3464: Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.70%
90.7th percentile
Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.

Affected

21 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debian_gnulinux_rssh
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
pizzashackrssh
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1
rsshrssh>= 0 < 2.3.4-r12.3.4-r1

Detection & IOCsextracted from sources · hover to see the quote

path~/.popt
  • Monitor for creation or modification of a .popt file in the home directory of any rssh-restricted user account, which is the primary delivery mechanism for CVE-2019-3464 exploitation.
  • Alert on use of the popt 'exec' feature or 'alias' feature (e.g., aliasing --server to --rsh) within any .popt file, as these are the two primary code-execution paths post-delivery.
  • Detect rsync operations performed by accounts restricted via rssh (e.g., shell set to /usr/bin/rssh), particularly those transferring files to the user's home directory, as this is the attack delivery vector.
  • In environments running rssh 2.3.4 (e.g., Ruckus IoT Controller ≤1.7.1.0), treat any rsync-based file transfer by a restricted account as high-risk for this bypass.
  • ·This vulnerability only affects rssh deployments where rsync is built with popt support (as is the case on Debian-based systems); rsync builds without popt are not vulnerable via this specific path.
  • ·The attack requires the attacker to already have authenticated rsync access (i.e., be a legitimate but restricted rssh user) in order to plant the malicious .popt file.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.