CVE-2019-3464
published 2019-02-06CVE-2019-3464: Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.70%
90.7th percentile
Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian_gnu | linux_rssh | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pizzashack | rssh | — | — |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
| rssh | rssh | >= 0 < 2.3.4-r1 | 2.3.4-r1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation or modification of a .popt file in the home directory of any rssh-restricted user account, which is the primary delivery mechanism for CVE-2019-3464 exploitation. ↗
- →Alert on use of the popt 'exec' feature or 'alias' feature (e.g., aliasing --server to --rsh) within any .popt file, as these are the two primary code-execution paths post-delivery. ↗
- →Detect rsync operations performed by accounts restricted via rssh (e.g., shell set to /usr/bin/rssh), particularly those transferring files to the user's home directory, as this is the attack delivery vector. ↗
- →In environments running rssh 2.3.4 (e.g., Ruckus IoT Controller ≤1.7.1.0), treat any rsync-based file transfer by a restricted account as high-risk for this bypass. ↗
- ·This vulnerability only affects rssh deployments where rsync is built with popt support (as is the case on Debian-based systems); rsync builds without popt are not vulnerable via this specific path. ↗
- ·The attack requires the attacker to already have authenticated rsync access (i.e., be a legitimate but restricted rssh user) in order to plant the malicious .popt file. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
rssh vulnerabilities
vendor_ubuntu·2019-04-11
CVE-2019-1000018 rssh vulnerabilities
Title: rssh vulnerabilities
Summary: rssh could be made to run arbitrary commands if it received specially crafted
input.
It was discovered that rssh incorrectly handled certain command-line arguments
and environment variables. An authenticated user could bypass rssh's command
restrictions, allowing an attacker to run arbitrary commands.
Instructions: In general, a standard system update will make all the necessary changes.
GHSA
GHSA-wp4w-52jh-8g3x: Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restric
ghsa_unreviewed·2022-05-13
CVE-2019-3464 [CRITICAL] CWE-665 GHSA-wp4w-52jh-8g3x: Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restric
Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
OSV
CVE-2019-3464: Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restric
osv·2019-02-06·CVSS 9.8
CVE-2019-3464 [CRITICAL] CVE-2019-3464: Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restric
Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
No detection rules found.
Bugzilla
CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt [fedora-all]
bugzilla·2019-02-04·CVSS 9.8
CVE-2019-3464 [CRITICAL] CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt [fedora-all]
CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt
bugzilla·2019-02-04·CVSS 9.8
CVE-2019-3464 [CRITICAL] CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt
CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt
A flaw was found in rssh. If rsync is built with popt (as it is in Debian), the popt library will attempt to open and parse ~/.popt on the server and interpret it as configuration for command line option parsing. If the client can rsync a .popt file to the home directory of the user protected with rssh, this allows arbitrary code execution on the server via several paths. The most obvious is via the popt exec feature which execs an arbitrary program as an external option filter, but a more sneaky approach is through the popt alias feature which allows one to alias a benign option (such as --server) to one that will run arbitrary code (such as --rsh).
References:
https://sourceforge.net/p/rssh/mai
Bugzilla
CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt [epel-all]
bugzilla·2019-02-04·CVSS 9.8
CVE-2019-3464 [CRITICAL] CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt [epel-all]
CVE-2019-3464 rssh: rsync bypass resulting in arbitrary code execution when built with popt [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mult
http://seclists.org/fulldisclosure/2021/May/78http://www.securityfocus.com/bid/106839https://lists.debian.org/debian-lts-announce/2019/02/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/https://security.gentoo.org/glsa/202007-29https://tracker.debian.org/news/1026713/accepted-rssh-234-5deb9u2-source-amd64-into-stable-embargoed-stable/https://usn.ubuntu.com/3946-1/https://www.debian.org/security/2019/dsa-4382http://seclists.org/fulldisclosure/2021/May/78http://www.securityfocus.com/bid/106839https://lists.debian.org/debian-lts-announce/2019/02/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/https://security.gentoo.org/glsa/202007-29https://tracker.debian.org/news/1026713/accepted-rssh-234-5deb9u2-source-amd64-into-stable-embargoed-stable/https://usn.ubuntu.com/3946-1/https://www.debian.org/security/2019/dsa-4382
2019-02-06
Published