cbcvebase.
CVE-2019-6110
published 2019-01-31

CVE-2019-6110: In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the…

PriorityP179medium6.8CVSS 3.1
AVNACHPRNUIRSUCHIHAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
20.91%
97.2th percentile
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianopenssh
openbsdopenssh<= 7.9
paloaltoprisma_sd
siemensscalance_x204rna_eec_firmware< 3.2.73.2.7
siemensscalance_x204rna_firmware< 3.2.73.2.7
winscpwinscp<= 5.13

Detection & IOCsextracted from sources · hover to see the quote

port2222
filenameexploit.txt
commandscp -P 2222 foo@localhost:test.txt .
commandC0664 {} exploit.txt\n (malicious SCP file transfer command)
commandC0777 {} generatereport\n (malicious SCP file transfer command with executable permissions)
bytes
\x1b[1A (ANSI escape sequence sent via stderr to hide file transfer)
  • Monitor for SCP sessions where the server-side file permission field in the 'C' protocol message is 0777 (world-executable), which may indicate delivery of a malicious executable payload.
  • Flag SCP connections to servers on non-standard port 2222 where the host key is newly generated or unknown, as the PoC exploit binds on this port and generates a fresh RSA key each run.
  • Inspect stderr output of SCP client sessions for arbitrary content; legitimate SCP servers do not send unsolicited data on the stderr channel during file transfer.
  • ·Only the scp binary (openssh-clients package) is affected; the SSH protocol itself and other SSH clients are not vulnerable.
  • ·Exploitation requires the victim to connect to a malicious SSH server or be subject to a MITM attack; connections exclusively to trusted SSH servers are not at risk.
  • ·Red Hat rates this as moderate severity; no upstream fix was committed and Debian tracks it as open across all active releases (bookworm, bullseye, sid, trixie, forky).

CVSS provenance

nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:N
osv6.8MEDIUM
vulncheck6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.