CVE-2019-6110
published 2019-01-31CVE-2019-6110: In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the…
PriorityP179medium6.8CVSS 3.1
AVNACHPRNUIRSUCHIHAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
20.91%
97.2th percentile
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | — | — |
| openbsd | openssh | <= 7.9 | — |
| paloalto | prisma_sd | — | — |
| siemens | scalance_x204rna_eec_firmware | < 3.2.7 | 3.2.7 |
| siemens | scalance_x204rna_firmware | < 3.2.7 | 3.2.7 |
| winscp | winscp | <= 5.13 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x1b[1A (ANSI escape sequence sent via stderr to hide file transfer)
- →Monitor for SCP sessions where the server-side file permission field in the 'C' protocol message is 0777 (world-executable), which may indicate delivery of a malicious executable payload. ↗
- →Flag SCP connections to servers on non-standard port 2222 where the host key is newly generated or unknown, as the PoC exploit binds on this port and generates a fresh RSA key each run. ↗
- →Inspect stderr output of SCP client sessions for arbitrary content; legitimate SCP servers do not send unsolicited data on the stderr channel during file transfer. ↗
- ·Only the scp binary (openssh-clients package) is affected; the SSH protocol itself and other SSH clients are not vulnerable. ↗
- ·Exploitation requires the victim to connect to a malicious SSH server or be subject to a MITM attack; connections exclusively to trusted SSH servers are not at risk. ↗
- ·Red Hat rates this as moderate severity; no upstream fix was committed and Debian tracks it as open across all active releases (bookworm, bullseye, sid, trixie, forky). ↗
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:N
osv6.8MEDIUM
vulncheck6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2024-04-05·CVSS 4.3
CVE-2007-2768 [MEDIUM] PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2007-2768, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-20012, CVE-2016-8858, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2020-12062, CVE-2021-41617, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-28531, CVE-2023-38408, CVE-2023-51384, CVE-2023-51385, CVE-2023-51767
Affected products: Prisma SD
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
Debian
CVE-2019-6110: openssh - In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the...
vendor_debian·2019·CVSS 6.8
CVE-2019-6110 [MEDIUM] CVE-2019-6110: openssh - In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the...
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
Red Hat
openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output
vendor_redhat·2018-11-16·CVSS 6.8
CVE-2019-6110 [MEDIUM] CWE-451 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output
openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
A vulnerability was found in OpenSSH that could allow a remote attacker to conduct spoofing attacks. This is caused by the acceptance and display of arbitrary stderr output from the SCP server, where a man-in-the-middle attacker could exploit this vulnerability to spoof the SCP client output, misleading the user into thinking the operation was successful or reporting false information.
Statement: This vulnerability is rated as a moderate becaus
GHSA
GHSA-mv2j-4mm8-9xgv: In OpenSSH 7
ghsa_unreviewed·2022-05-13
CVE-2019-6110 [MEDIUM] CWE-838 GHSA-mv2j-4mm8-9xgv: In OpenSSH 7
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
OSV
CVE-2019-6110: In OpenSSH 7
osv·2019-01-31·CVSS 6.8
CVE-2019-6110 [MEDIUM] CVE-2019-6110: In OpenSSH 7
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
VulnCheck
OpenBSD openssh Inappropriate Encoding for Output Context
vulncheck·2019·CVSS 6.8
CVE-2019-6110 [MEDIUM] OpenBSD openssh Inappropriate Encoding for Output Context
OpenBSD openssh Inappropriate Encoding for Output Context
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
Affected: OpenBSD openssh
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cybersecurityworks.com/blog/cyber-risk/how-safe-are-enterprise-data-storage-systems.html; https://cybersecurityworks.com/blog/ransomware/cyber-hygiene-ransomware-is-causing-critical-care-disruption-in-hospitals.html; https://cybe
No detection rules found.
Exploit-DB
SCP Client - Multiple Vulnerabilities (SSHtranger Things)
exploitdb·2019-01-18·CVSS 6.8
CVE-2019-6111 [MEDIUM] SCP Client - Multiple Vulnerabilities (SSHtranger Things)
SCP Client - Multiple Vulnerabilities (SSHtranger Things)
---
# Exploit Title: SSHtranger Things
# Date: 2019-01-17
# Exploit Author: Mark E. Haase
# Vendor Homepage: https://www.openssh.com/
# Software Link: [download link if available]
# Version: OpenSSH 7.6p1
# Tested on: Ubuntu 18.04.1 LTS
# CVE : CVE-2019-6111, CVE-2019-6110
'''
Title: SSHtranger Things
Author: Mark E. Haase
Homepage: https://www.hyperiongray.com
Date: 2019-01-17
CVE: CVE-2019-6111, CVE-2019-6110
Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1
We have nicknamed this "SSHtranger Things" because the bug is so old it could be
exploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`
package.
The server listens
Exploit-DB
OpenSSH SCP Client - Write Arbitrary Files
exploitdb·2019-01-11·CVSS 6.8
CVE-2019-6111 [MEDIUM] OpenSSH SCP Client - Write Arbitrary Files
OpenSSH SCP Client - Write Arbitrary Files
---
'''
Title: SSHtranger Things
Author: Mark E. Haase
Homepage: https://www.hyperiongray.com
Date: 2019-01-17
CVE: CVE-2019-6111, CVE-2019-6110
Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1
We have nicknamed this "SSHtranger Things" because the bug is so old it could be
exploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`
package.
The server listens on port 2222. It accepts any username and password, and it
generates a new host key every time you run it.
$ python3 sshtranger_things.py
Download a file using a vulnerable client. The local path must be a dot:
$ scp -P 2222 foo@localhost:test.txt .
The authenticity of host '[local
Bugzilla
CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output [fedora-all]
bugzilla·2019-01-15·CVSS 6.8
CVE-2019-6110 [MEDIUM] CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output [fedora-all]
CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
Bugzilla
CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output
bugzilla·2019-01-15·CVSS 6.8
CVE-2019-6110 [MEDIUM] CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output
CVE-2019-6110 openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output
OpenSSH has a vulnerability in the scp client utility. Due to accepting and displaying arbitrary stderr output from the scp server, a malicious server can manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.
External Reference:
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Proposed Patch:
https://sintonen.fi/advisories/scp-name-validator.patch
Discussion:
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1666125]
---
Analysis:
This is a flaw in the scp client (/usr/bin/scp) shipped as a part of openssh-clients package. The flaw exists in the way scp clients accept and displ
CTF
20190622-googlectfquals / README
ctf_writeups·2019
20190622-googlectfquals / README
# Google CTF Quals 2019
**It's recommended to read our responsive [web version](https://balsn.tw/ctf_writeup/20190622-googlectfquals/) of this writeup.**
- [Google CTF Quals 2019](#google-ctf-quals-2019)
- [Reverse](#reverse)
- [Malvertising](#malvertising)
- [First stage](#first-stage)
- [Second stage](#second-stage)
- [Third stage](#third-stage)
- [Flaggy Bird](#flaggy-bird)
- [Dialtone](#dialtone)
- [TL;DR](#tldr)
- [Misc](#misc)
- [Doomed to Repeat It](#doomed-to-repeat-it)
- [bob needs a file](#bob-needs-a-file)
- [Hardware](#hardware)
- [flagrom](#flagrom)
- [TL;DR](#tldr-1)
- [Remote Control](#remote-control)
- [TL;DR](#tldr-2)
- [minetest](#minetest)
- [TL;DR](#tldr-3)
- [Web](#web)
- [BNV](#bnv)
- [gLotto](#glotto)
- [TL;DR](#tldr-4)
- [Pwn](#pwn)
- [MicroServiceDaemonOS](#micr
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.chttps://cvsweb.openbsd.org/src/usr.bin/ssh/scp.chttps://security.gentoo.org/glsa/201903-16https://security.netapp.com/advisory/ntap-20190213-0001/https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txthttps://www.exploit-db.com/exploits/46193/https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.chttps://cvsweb.openbsd.org/src/usr.bin/ssh/scp.chttps://security.gentoo.org/glsa/201903-16https://security.netapp.com/advisory/ntap-20190213-0001/https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txthttps://www.exploit-db.com/exploits/46193/
2019-01-31
Published
Exploited in the wild