CVE-2019-6111: An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the…

medium5.9CVSS 3.1

AVNACHPRNUINSUCNIHAN

ITWEXPLOIT

Exploited in the wild

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Affected

57 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	mina_sshd	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	libssh	< libssh 0.12.0-1 (forky)	libssh 0.12.0-1 (forky)
debian	netkit-rsh	< netkit-rsh 0.17-20 (bookworm)	netkit-rsh 0.17-20 (bookworm)
debian	openssh	< openssh 1:7.9p1-9 (bookworm)	openssh 1:7.9p1-9 (bookworm)
fedoraproject	fedora	—	—
freebsd	freebsd	< 12.0	12.0
freebsd	freebsd	—	—
fujitsu	m10-1_firmware	< xcp2361	xcp2361
fujitsu	m10-1_firmware	< xcp3070	xcp3070
fujitsu	m10-4_firmware	< xcp2361	xcp2361
fujitsu	m10-4_firmware	< xcp3070	xcp3070
fujitsu	m10-4s_firmware	< xcp2361	xcp2361
fujitsu	m10-4s_firmware	< xcp3070	xcp3070
fujitsu	m12-1_firmware	< xcp2361	xcp2361
fujitsu	m12-1_firmware	< xcp3070	xcp3070
fujitsu	m12-2_firmware	< xcp2361	xcp2361
fujitsu	m12-2_firmware	< xcp3070	xcp3070
fujitsu	m12-2s_firmware	< xcp2361	xcp2361
fujitsu	m12-2s_firmware	< xcp3070	xcp3070

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

osv5.9MEDIUM

vulncheck5.9MEDIUM