var-201901-0010
Vulnerability from variot
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. OpenSSH Contains an access control vulnerability.Information may be obtained and information may be altered. OpenSSH is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to bypass certain security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. OpenSSH 7.9 version is vulnerable; other versions may also be affected. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-16
https://security.gentoo.org/
Severity: Normal Title: OpenSSH: Multiple vulnerabilities Date: March 20, 2019 Bugs: #675520, #675522 ID: 201903-16
Synopsis
Multiple vulnerabilities have been found in OpenSSH, the worst of which could allow a remote attacker to gain unauthorized access. Please review the CVE identifiers referenced below for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenSSH users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.9_p1-r4"
References
[ 1 ] CVE-2018-20685 https://nvd.nist.gov/vuln/detail/CVE-2018-20685 [ 2 ] CVE-2019-6109 https://nvd.nist.gov/vuln/detail/CVE-2019-6109 [ 3 ] CVE-2019-6110 https://nvd.nist.gov/vuln/detail/CVE-2019-6110 [ 4 ] CVE-2019-6111 https://nvd.nist.gov/vuln/detail/CVE-2019-6111
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201903-16
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: openssh security, bug fix, and enhancement update Advisory ID: RHSA-2019:3702-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3702 Issue date: 2019-11-05 CVE Names: CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 =====================================================================
- Summary:
An update for openssh is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.
The following packages have been upgraded to a later upstream version: openssh (8.0p1).
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. 1686065 - SSH connections get closed when time-based rekeyring is used and ClientAliveMaxCount=0 1691045 - Rebase OpenSSH to latest release (8.0p1?) 1707485 - Use high-level API to do signatures 1712436 - MD5 is used when writing password protected PEM 1732424 - ssh-keygen -A fails in FIPS mode because of DSA key 1732449 - rsa-sha2-*-cert-v01@openssh.com host key types are ignored in FIPS despite being in the policy
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
aarch64: openssh-askpass-8.0p1-3.el8.aarch64.rpm openssh-askpass-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-cavs-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-clients-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-debugsource-8.0p1-3.el8.aarch64.rpm openssh-keycat-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-ldap-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-server-debuginfo-8.0p1-3.el8.aarch64.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.aarch64.rpm
ppc64le: openssh-askpass-8.0p1-3.el8.ppc64le.rpm openssh-askpass-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-cavs-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-clients-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-debugsource-8.0p1-3.el8.ppc64le.rpm openssh-keycat-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-ldap-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-server-debuginfo-8.0p1-3.el8.ppc64le.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.ppc64le.rpm
s390x: openssh-askpass-8.0p1-3.el8.s390x.rpm openssh-askpass-debuginfo-8.0p1-3.el8.s390x.rpm openssh-cavs-debuginfo-8.0p1-3.el8.s390x.rpm openssh-clients-debuginfo-8.0p1-3.el8.s390x.rpm openssh-debuginfo-8.0p1-3.el8.s390x.rpm openssh-debugsource-8.0p1-3.el8.s390x.rpm openssh-keycat-debuginfo-8.0p1-3.el8.s390x.rpm openssh-ldap-debuginfo-8.0p1-3.el8.s390x.rpm openssh-server-debuginfo-8.0p1-3.el8.s390x.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.s390x.rpm
x86_64: openssh-askpass-8.0p1-3.el8.x86_64.rpm openssh-askpass-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-cavs-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-clients-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-debugsource-8.0p1-3.el8.x86_64.rpm openssh-keycat-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-ldap-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-server-debuginfo-8.0p1-3.el8.x86_64.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 8):
Source: openssh-8.0p1-3.el8.src.rpm
aarch64: openssh-8.0p1-3.el8.aarch64.rpm openssh-askpass-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-cavs-8.0p1-3.el8.aarch64.rpm openssh-cavs-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-clients-8.0p1-3.el8.aarch64.rpm openssh-clients-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-debugsource-8.0p1-3.el8.aarch64.rpm openssh-keycat-8.0p1-3.el8.aarch64.rpm openssh-keycat-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-ldap-8.0p1-3.el8.aarch64.rpm openssh-ldap-debuginfo-8.0p1-3.el8.aarch64.rpm openssh-server-8.0p1-3.el8.aarch64.rpm openssh-server-debuginfo-8.0p1-3.el8.aarch64.rpm pam_ssh_agent_auth-0.10.3-7.3.el8.aarch64.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.aarch64.rpm
ppc64le: openssh-8.0p1-3.el8.ppc64le.rpm openssh-askpass-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-cavs-8.0p1-3.el8.ppc64le.rpm openssh-cavs-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-clients-8.0p1-3.el8.ppc64le.rpm openssh-clients-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-debugsource-8.0p1-3.el8.ppc64le.rpm openssh-keycat-8.0p1-3.el8.ppc64le.rpm openssh-keycat-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-ldap-8.0p1-3.el8.ppc64le.rpm openssh-ldap-debuginfo-8.0p1-3.el8.ppc64le.rpm openssh-server-8.0p1-3.el8.ppc64le.rpm openssh-server-debuginfo-8.0p1-3.el8.ppc64le.rpm pam_ssh_agent_auth-0.10.3-7.3.el8.ppc64le.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.ppc64le.rpm
s390x: openssh-8.0p1-3.el8.s390x.rpm openssh-askpass-debuginfo-8.0p1-3.el8.s390x.rpm openssh-cavs-8.0p1-3.el8.s390x.rpm openssh-cavs-debuginfo-8.0p1-3.el8.s390x.rpm openssh-clients-8.0p1-3.el8.s390x.rpm openssh-clients-debuginfo-8.0p1-3.el8.s390x.rpm openssh-debuginfo-8.0p1-3.el8.s390x.rpm openssh-debugsource-8.0p1-3.el8.s390x.rpm openssh-keycat-8.0p1-3.el8.s390x.rpm openssh-keycat-debuginfo-8.0p1-3.el8.s390x.rpm openssh-ldap-8.0p1-3.el8.s390x.rpm openssh-ldap-debuginfo-8.0p1-3.el8.s390x.rpm openssh-server-8.0p1-3.el8.s390x.rpm openssh-server-debuginfo-8.0p1-3.el8.s390x.rpm pam_ssh_agent_auth-0.10.3-7.3.el8.s390x.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.s390x.rpm
x86_64: openssh-8.0p1-3.el8.x86_64.rpm openssh-askpass-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-cavs-8.0p1-3.el8.x86_64.rpm openssh-cavs-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-clients-8.0p1-3.el8.x86_64.rpm openssh-clients-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-debugsource-8.0p1-3.el8.x86_64.rpm openssh-keycat-8.0p1-3.el8.x86_64.rpm openssh-keycat-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-ldap-8.0p1-3.el8.x86_64.rpm openssh-ldap-debuginfo-8.0p1-3.el8.x86_64.rpm openssh-server-8.0p1-3.el8.x86_64.rpm openssh-server-debuginfo-8.0p1-3.el8.x86_64.rpm pam_ssh_agent_auth-0.10.3-7.3.el8.x86_64.rpm pam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-20685 https://access.redhat.com/security/cve/CVE-2019-6109 https://access.redhat.com/security/cve/CVE-2019-6111 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXcHzKNzjgjWX9erEAQiytQ/6Apphov2V0QmnXA+KO3ZZKBPXtgKv8Sv1 dPtXhTC+Keq4yX9/bXlIuyk6BUsMeaiIMlL5bSSKtq2I7rVxwubTcPX4rD+pQvx8 ArNJgn7U2/3xqwc0R8dNXx6o8vB1M6jXDtu8fKJOxW48evDJf6gE4gX2KUM9yxR2 MhCoHVkLp9a5f0T11yFPI11H0P8gXXQgboAkdt82Ui35T4tD8RndVyPCsllN2c/X QCCbvZ9e8OLJJoxsOryLcw8tpQHXK2AJMXWv0Us99kQtbaBULWWahhrg/tftLxtT pILFBaB/RsmGg1O6OkxJ2CuKl6ATC2Wlj/Z7uYPrS7MQDn+fXkH2gfcjb4Z4rqIL IyKbUpsyFEAaV5rJUeRaS7dGfuQldQbS96P8lUpCcOXPbYD8FgTrW2q3NjOKgYMU +gh2xPwmlRm+iYfmedPoR2+bTWNYv8JS+Cp/fZF4IFx2EJPQcxKLYshNKgcfkNkR rIZ4brUI79p84H01TcTh4mFAbR63Y+c36UAI3/fM/W/RkZn/PdoJtpfwg/tjOYZH rt9kL7SfAEhjHNtBuJGNol6e124srS6300hnfFovAr6llDOcYlrh3ZgVZjVrn6E8 TZhyZ84TGMOqykfH7B9XkJH82X+x3rd2m0ovCPq+Ly62BasdXVd0C2snzbx8OAM8 I+am8dhVlyM= =iPw4 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . scp client multiple vulnerabilities =================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Overview
SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation.
Description
Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.
Impact
Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output.
Details
The discovered vulnerabilities, described in more detail below, enables the attack described here in brief.
-
The attacker controlled server or Man-in-the-Middle(*) attack drops .bash_aliases file to victim's home directory when the victim performs scp operation from the server. The transfer of extra files is hidden by sending ANSI control sequences via stderr. For example:
user@local:~$ scp user@remote:readme.txt . readme.txt 100% 494 1.6KB/s 00:00 user@local:~$
-
Once the victim launches a new shell, the malicious commands in .bash_aliases get executed.
*) Man-in-the-Middle attack does require the victim to accept the wrong host fingerprint.
Vulnerabilities
- CWE-20: scp client improper directory name validation [CVE-2018-20685]
The scp client allows server to modify permissions of the target directory by using empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name.
- CWE-20: scp client missing received object name validation [CVE-2019-6111]
Due to the scp implementation being derived from 1983 rcp [1], the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).
The same vulnerability in WinSCP is known as CVE-2018-20684.
Proof-of-Concept
Proof of concept malicious scp server will be released at a later date.
Vulnerable versions
The following software packages have some or all vulnerabilities:
ver #1 #2 #3 #4
OpenSSH scp <=7.9 x x x x PuTTY PSCP ? - - x x WinSCP scp mode <=5.13 - x - -
Tectia SSH scpg3 is not affected since it exclusively uses sftp protocol.
Mitigation
- OpenSSH
1.1 Switch to sftp if possible
1.2 Alternatively apply the following patch to harden scp against most server-side manipulation attempts: https://sintonen.fi/advisories/scp-name-validator.patch
NOTE: This patch may cause problems if the the remote and local shells don't
agree on the way glob() pattern matching works. YMMV.
- PuTTY
2.1 No fix is available yet
- WinSCP
3.1. Upgrade to WinSCP 5.14 or later
Similar or prior work
- CVE-2000-0992 - scp overwrites arbitrary files
References
- https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access
Credits
The vulnerability was discovered by Harry Sintonen / F-Secure Corporation.
Timeline
2018.08.08 initial discovery of vulnerabilities #1 and #2 2018.08.09 reported vulnerabilities #1 and #2 to OpenSSH 2018.08.10 OpenSSH acknowledged the vulnerabilities 2018.08.14 discovered & reported vulnerability #3 to OpenSSH 2018.08.15 discovered & reported vulnerability #4 to OpenSSH 2018.08.30 reported PSCP vulnerabilities (#3 and #4) to PuTTY developers 2018.08.31 reported WinSCP vulnerability (#2) to WinSCP developers 2018.09.04 WinSCP developers reported the vulnerability #2 fixed 2018.11.12 requested a status update from OpenSSH 2018.11.16 OpenSSH fixed vulnerability #1 2019.01.07 requested a status update from OpenSSH 2019.01.08 requested CVE assignments from MITRE 2019.01.10 received CVE assignments from MITRE 2019.01.11 public disclosure of the advisory 2019.01.14 added a warning about the potential issues caused by the patch
. All the vulnerabilities are in found in the scp client implementing the SCP protocol. The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client.
For the stable distribution (stretch), these problems have been fixed in version 1:7.4p1-10+deb9u5.
For the detailed security status of openssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxe0w0ACgkQ3rYcyPpX RFs85AgA0GrSHO4Qf5FVsE3oXa+nMkZ4U6pbOA9dHotX54DEyNuIJrOsOv01cFxQ t2Z6uDkZptmHZT4uSWg2xIgMvpkGo9906ziZfHc0LTuHl8j++7cCDIDGZBm/iZaX ueQfl85gHDpte41JvUtpSBAwk1Bic7ltLUPDIGEiq6nQboxHIzsU7ULVb1l0wNxF sEFDPWGBS01HTa+QWgQaG/wbEhMRDcVz1Ck7dqpT2soQRohDWxU01j14q1EKe9O9 GHiWECvFSHBkkI/v8lNfSWnOWYa/+Aknri0CpjPc/bqh2Yx9rgp/Q5+FJ/FxJjmC bHFd+tbxB1LxEO96zKguYpPIzw7Kcw== =5Fd8 -----END PGP SIGNATURE-----
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201901-0010", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "enterprise linux server tus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.2" }, { "model": "enterprise linux server tus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.4" }, { "model": "m10-1", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp2361" }, { "model": "m10-4", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp2361" }, { "model": "enterprise linux server aus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.6" }, { "model": "winscp", "scope": "lte", "trust": 1.0, "vendor": "winscp", "version": "5.13" }, { "model": "m12-2", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp3070" }, { "model": "scalance x204rna", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "3.2.7" }, { "model": "m12-2s", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp2361" }, { "model": "m12-1", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp2361" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "9.0" }, { "model": "enterprise linux", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.0" }, { "model": "enterprise linux eus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.6" }, { "model": "m10-1", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp3070" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "8.0" }, { "model": "enterprise linux server aus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.2" }, { "model": "storage automation store", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "16.04" }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "30" }, { "model": "enterprise linux eus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.1" }, { "model": "enterprise linux server aus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.4" }, { "model": "scalance x204rna eec", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "3.2.7" }, { "model": "m10-4s", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp2361" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "18.04" }, { "model": "enterprise linux eus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.2" }, { "model": "enterprise linux eus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.4" }, { "model": "m10-4", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp3070" }, { "model": "ontap select deploy", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "openssh", "scope": "lte", "trust": 1.0, "vendor": "openbsd", "version": "7.9" }, { "model": "m12-1", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp3070" }, { "model": "m12-2s", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp3070" }, { "model": "m12-2", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp2361" }, { "model": "enterprise linux server tus", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "8.6" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "14.04" }, { "model": "element software", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "m10-4s", "scope": "lt", "trust": 1.0, "vendor": "fujitsu", "version": "xcp3070" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "18.10" }, { "model": "openssh", "scope": "eq", "trust": 0.8, "vendor": "openbsd", "version": "7.9" }, { "model": "winscp", "scope": null, "trust": 0.8, "vendor": "winscp", "version": null }, { "model": "linux enterprise server 12-sp2", "scope": null, "trust": 0.3, "vendor": "suse", "version": null }, { "model": "linux enterprise server 12-sp1", "scope": null, "trust": 0.3, "vendor": "suse", "version": null }, { "model": "linux enterprise server sp3", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "12" }, { "model": "linux enterprise server ga", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "12" }, { "model": "linux enterprise server sp4", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "11" }, { "model": "linux enterprise server sp3 ltss", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "11" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "7" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "6" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5" }, { "model": "openssh", "scope": "eq", "trust": 0.3, "vendor": "openssh", "version": "7.9" }, { "model": "traffix sdc", "scope": "eq", "trust": 0.3, "vendor": "f5", "version": "5.1" }, { "model": "traffix sdc", "scope": "eq", "trust": 0.3, "vendor": "f5", "version": "5.0" }, { "model": "traffix sdc", "scope": "eq", "trust": 0.3, "vendor": "f5", "version": "4.4" } ], "sources": [ { "db": "BID", "id": "106843" }, { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "NVD", "id": "CVE-2019-6109" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "7.9", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "5.13", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:ontap_select_deploy:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:scalance_x204rna_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "3.2.7", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:scalance_x204rna:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:scalance_x204rna_eec_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "3.2.7", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:scalance_x204rna_eec:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp2361", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp2361", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp2361", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp2361", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp2361", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp2361", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp3070", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp3070", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp3070", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp3070", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp3070", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "xcp3070", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2019-6109" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Gentoo", "sources": [ { "db": "PACKETSTORM", "id": "152154" }, { "db": "CNNVD", "id": "CNNVD-201901-467" } ], "trust": 0.7 }, "cve": "CVE-2019-6109", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 4.9, "impactScore": 4.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": true, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "High", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 4.0, "confidentialityImpact": "Partial", "exploitabilityScore": null, "id": "CVE-2019-6109", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "HIGH", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitabilityScore": 1.6, "impactScore": 5.2, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, { "attackComplexity": "High", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 6.8, "baseSeverity": "Medium", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2019-6109", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "Required", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2019-6109", "trust": 1.8, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-201901-467", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2019-6109", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-6109" }, { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "NVD", "id": "CVE-2019-6109" }, { "db": "CNNVD", "id": "CNNVD-201901-467" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. OpenSSH Contains an access control vulnerability.Information may be obtained and information may be altered. OpenSSH is prone to a security-bypass vulnerability. \nSuccessfully exploiting this issue may allow attackers to bypass certain security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. \nOpenSSH 7.9 version is vulnerable; other versions may also be affected. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201903-16\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenSSH: Multiple vulnerabilities\n Date: March 20, 2019\n Bugs: #675520, #675522\n ID: 201903-16\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenSSH, the worst of which\ncould allow a remote attacker to gain unauthorized access. Please review\nthe CVE identifiers referenced below for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-misc/openssh-7.9_p1-r4\"\n\nReferences\n==========\n\n[ 1 ] CVE-2018-20685\n https://nvd.nist.gov/vuln/detail/CVE-2018-20685\n[ 2 ] CVE-2019-6109\n https://nvd.nist.gov/vuln/detail/CVE-2019-6109\n[ 3 ] CVE-2019-6110\n https://nvd.nist.gov/vuln/detail/CVE-2019-6110\n[ 4 ] CVE-2019-6111\n https://nvd.nist.gov/vuln/detail/CVE-2019-6111\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201903-16\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2019 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: openssh security, bug fix, and enhancement update\nAdvisory ID: RHSA-2019:3702-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:3702\nIssue date: 2019-11-05\nCVE Names: CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 \n=====================================================================\n\n1. Summary:\n\nAn update for openssh is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nOpenSSH is an SSH protocol implementation supported by a number of Linux,\nUNIX, and similar operating systems. It includes the core files necessary\nfor both the OpenSSH client and server. \n\nThe following packages have been upgraded to a later upstream version:\nopenssh (8.0p1). \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.1 Release Notes linked from the References section. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically. \n1686065 - SSH connections get closed when time-based rekeyring is used and ClientAliveMaxCount=0\n1691045 - Rebase OpenSSH to latest release (8.0p1?)\n1707485 - Use high-level API to do signatures\n1712436 - MD5 is used when writing password protected PEM\n1732424 - ssh-keygen -A fails in FIPS mode because of DSA key\n1732449 - rsa-sha2-*-cert-v01@openssh.com host key types are ignored in FIPS despite being in the policy\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\naarch64:\nopenssh-askpass-8.0p1-3.el8.aarch64.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-debugsource-8.0p1-3.el8.aarch64.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.aarch64.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.aarch64.rpm\n\nppc64le:\nopenssh-askpass-8.0p1-3.el8.ppc64le.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-debugsource-8.0p1-3.el8.ppc64le.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.ppc64le.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.ppc64le.rpm\n\ns390x:\nopenssh-askpass-8.0p1-3.el8.s390x.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-debugsource-8.0p1-3.el8.s390x.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.s390x.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.s390x.rpm\n\nx86_64:\nopenssh-askpass-8.0p1-3.el8.x86_64.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-debugsource-8.0p1-3.el8.x86_64.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.x86_64.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.x86_64.rpm\n\nRed Hat Enterprise Linux BaseOS (v. 8):\n\nSource:\nopenssh-8.0p1-3.el8.src.rpm\n\naarch64:\nopenssh-8.0p1-3.el8.aarch64.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-cavs-8.0p1-3.el8.aarch64.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-clients-8.0p1-3.el8.aarch64.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-debugsource-8.0p1-3.el8.aarch64.rpm\nopenssh-keycat-8.0p1-3.el8.aarch64.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-ldap-8.0p1-3.el8.aarch64.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.aarch64.rpm\nopenssh-server-8.0p1-3.el8.aarch64.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.aarch64.rpm\npam_ssh_agent_auth-0.10.3-7.3.el8.aarch64.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.aarch64.rpm\n\nppc64le:\nopenssh-8.0p1-3.el8.ppc64le.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-cavs-8.0p1-3.el8.ppc64le.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-clients-8.0p1-3.el8.ppc64le.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-debugsource-8.0p1-3.el8.ppc64le.rpm\nopenssh-keycat-8.0p1-3.el8.ppc64le.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-ldap-8.0p1-3.el8.ppc64le.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.ppc64le.rpm\nopenssh-server-8.0p1-3.el8.ppc64le.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.ppc64le.rpm\npam_ssh_agent_auth-0.10.3-7.3.el8.ppc64le.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.ppc64le.rpm\n\ns390x:\nopenssh-8.0p1-3.el8.s390x.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-cavs-8.0p1-3.el8.s390x.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-clients-8.0p1-3.el8.s390x.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-debugsource-8.0p1-3.el8.s390x.rpm\nopenssh-keycat-8.0p1-3.el8.s390x.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-ldap-8.0p1-3.el8.s390x.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.s390x.rpm\nopenssh-server-8.0p1-3.el8.s390x.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.s390x.rpm\npam_ssh_agent_auth-0.10.3-7.3.el8.s390x.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.s390x.rpm\n\nx86_64:\nopenssh-8.0p1-3.el8.x86_64.rpm\nopenssh-askpass-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-cavs-8.0p1-3.el8.x86_64.rpm\nopenssh-cavs-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-clients-8.0p1-3.el8.x86_64.rpm\nopenssh-clients-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-debugsource-8.0p1-3.el8.x86_64.rpm\nopenssh-keycat-8.0p1-3.el8.x86_64.rpm\nopenssh-keycat-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-ldap-8.0p1-3.el8.x86_64.rpm\nopenssh-ldap-debuginfo-8.0p1-3.el8.x86_64.rpm\nopenssh-server-8.0p1-3.el8.x86_64.rpm\nopenssh-server-debuginfo-8.0p1-3.el8.x86_64.rpm\npam_ssh_agent_auth-0.10.3-7.3.el8.x86_64.rpm\npam_ssh_agent_auth-debuginfo-0.10.3-7.3.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-20685\nhttps://access.redhat.com/security/cve/CVE-2019-6109\nhttps://access.redhat.com/security/cve/CVE-2019-6111\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXcHzKNzjgjWX9erEAQiytQ/6Apphov2V0QmnXA+KO3ZZKBPXtgKv8Sv1\ndPtXhTC+Keq4yX9/bXlIuyk6BUsMeaiIMlL5bSSKtq2I7rVxwubTcPX4rD+pQvx8\nArNJgn7U2/3xqwc0R8dNXx6o8vB1M6jXDtu8fKJOxW48evDJf6gE4gX2KUM9yxR2\nMhCoHVkLp9a5f0T11yFPI11H0P8gXXQgboAkdt82Ui35T4tD8RndVyPCsllN2c/X\nQCCbvZ9e8OLJJoxsOryLcw8tpQHXK2AJMXWv0Us99kQtbaBULWWahhrg/tftLxtT\npILFBaB/RsmGg1O6OkxJ2CuKl6ATC2Wlj/Z7uYPrS7MQDn+fXkH2gfcjb4Z4rqIL\nIyKbUpsyFEAaV5rJUeRaS7dGfuQldQbS96P8lUpCcOXPbYD8FgTrW2q3NjOKgYMU\n+gh2xPwmlRm+iYfmedPoR2+bTWNYv8JS+Cp/fZF4IFx2EJPQcxKLYshNKgcfkNkR\nrIZ4brUI79p84H01TcTh4mFAbR63Y+c36UAI3/fM/W/RkZn/PdoJtpfwg/tjOYZH\nrt9kL7SfAEhjHNtBuJGNol6e124srS6300hnfFovAr6llDOcYlrh3ZgVZjVrn6E8\nTZhyZ84TGMOqykfH7B9XkJH82X+x3rd2m0ovCPq+Ly62BasdXVd0C2snzbx8OAM8\nI+am8dhVlyM=\n=iPw4\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. scp client multiple vulnerabilities\n===================================\nThe latest version of this advisory is available at:\nhttps://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt\n\n\nOverview\n--------\n\nSCP clients from multiple vendors are susceptible to a malicious scp server performing\nunauthorized changes to target directory and/or client output manipulation. \n\n\nDescription\n-----------\n\nMany scp clients fail to verify if the objects returned by the scp server match those\nit asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate\nflaw in the client allows the target directory attributes to be changed arbitrarily. \nFinally, two vulnerabilities in clients may allow server to spoof the client output. \n\n\nImpact\n------\n\nMalicious scp server can write arbitrary files to scp target directory, change the\ntarget directory permissions and to spoof the client output. \n\n\nDetails\n-------\n\nThe discovered vulnerabilities, described in more detail below, enables the attack\ndescribed here in brief. \n\n1. The attacker controlled server or Man-in-the-Middle(*) attack drops .bash_aliases\n file to victim\u0027s home directory when the victim performs scp operation from the\n server. The transfer of extra files is hidden by sending ANSI control sequences\n via stderr. For example:\n\n user@local:~$ scp user@remote:readme.txt . \n readme.txt 100% 494 1.6KB/s 00:00\n user@local:~$\n\n2. Once the victim launches a new shell, the malicious commands in .bash_aliases get\n executed. \n\n\n*) Man-in-the-Middle attack does require the victim to accept the wrong host\n fingerprint. \n\n\nVulnerabilities\n---------------\n\n1. CWE-20: scp client improper directory name validation [CVE-2018-20685]\n\nThe scp client allows server to modify permissions of the target directory by using empty\n(\"D0777 0 \\n\") or dot (\"D0777 0 .\\n\") directory name. \n\n\n2. CWE-20: scp client missing received object name validation [CVE-2019-6111]\n\nDue to the scp implementation being derived from 1983 rcp [1], the server chooses which\nfiles/directories are sent to the client. However, scp client only perform cursory\nvalidation of the object name returned (only directory traversal attacks are prevented). \nA malicious scp server can overwrite arbitrary files in the scp client target directory. \nIf recursive operation (-r) is performed, the server can manipulate subdirectories\nas well (for example overwrite .ssh/authorized_keys). \n\nThe same vulnerability in WinSCP is known as CVE-2018-20684. \n\n\n3. \n\n\n4. \n\n\nProof-of-Concept\n----------------\n\nProof of concept malicious scp server will be released at a later date. \n\n\nVulnerable versions\n-------------------\n\nThe following software packages have some or all vulnerabilities:\n\n ver #1 #2 #3 #4\nOpenSSH scp \u003c=7.9 x x x x\nPuTTY PSCP ? - - x x\nWinSCP scp mode \u003c=5.13 - x - -\n\nTectia SSH scpg3 is not affected since it exclusively uses sftp protocol. \n\n\nMitigation\n----------\n\n1. OpenSSH\n\n1.1 Switch to sftp if possible\n\n1.2 Alternatively apply the following patch to harden scp against most server-side\n manipulation attempts: https://sintonen.fi/advisories/scp-name-validator.patch\n\n NOTE: This patch may cause problems if the the remote and local shells don\u0027t\n agree on the way glob() pattern matching works. YMMV. \n\n2. PuTTY\n\n2.1 No fix is available yet\n\n3. WinSCP\n\n3.1. Upgrade to WinSCP 5.14 or later\n\n\n\nSimilar or prior work\n---------------------\n\n1. CVE-2000-0992 - scp overwrites arbitrary files\n\n\nReferences\n----------\n\n1. https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access\n\n\nCredits\n-------\n\nThe vulnerability was discovered by Harry Sintonen / F-Secure Corporation. \n\n\nTimeline\n--------\n\n2018.08.08 initial discovery of vulnerabilities #1 and #2\n2018.08.09 reported vulnerabilities #1 and #2 to OpenSSH\n2018.08.10 OpenSSH acknowledged the vulnerabilities\n2018.08.14 discovered \u0026 reported vulnerability #3 to OpenSSH\n2018.08.15 discovered \u0026 reported vulnerability #4 to OpenSSH\n2018.08.30 reported PSCP vulnerabilities (#3 and #4) to PuTTY developers\n2018.08.31 reported WinSCP vulnerability (#2) to WinSCP developers\n2018.09.04 WinSCP developers reported the vulnerability #2 fixed\n2018.11.12 requested a status update from OpenSSH\n2018.11.16 OpenSSH fixed vulnerability #1\n2019.01.07 requested a status update from OpenSSH\n2019.01.08 requested CVE assignments from MITRE\n2019.01.10 received CVE assignments from MITRE\n2019.01.11 public disclosure of the advisory\n2019.01.14 added a warning about the potential issues caused by the patch\n\n\n. All the vulnerabilities\nare in found in the scp client implementing the SCP protocol. \n The check added in this version can lead to regression if the client and\n the server have differences in wildcard expansion rules. If the server is\n trusted for that purpose, the check can be disabled with a new -T option to\n the scp client. \n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:7.4p1-10+deb9u5. \n\nFor the detailed security status of openssh please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openssh\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxe0w0ACgkQ3rYcyPpX\nRFs85AgA0GrSHO4Qf5FVsE3oXa+nMkZ4U6pbOA9dHotX54DEyNuIJrOsOv01cFxQ\nt2Z6uDkZptmHZT4uSWg2xIgMvpkGo9906ziZfHc0LTuHl8j++7cCDIDGZBm/iZaX\nueQfl85gHDpte41JvUtpSBAwk1Bic7ltLUPDIGEiq6nQboxHIzsU7ULVb1l0wNxF\nsEFDPWGBS01HTa+QWgQaG/wbEhMRDcVz1Ck7dqpT2soQRohDWxU01j14q1EKe9O9\nGHiWECvFSHBkkI/v8lNfSWnOWYa/+Aknri0CpjPc/bqh2Yx9rgp/Q5+FJ/FxJjmC\nbHFd+tbxB1LxEO96zKguYpPIzw7Kcw==\n=5Fd8\n-----END PGP SIGNATURE-----\n", "sources": [ { "db": "NVD", "id": "CVE-2019-6109" }, { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "BID", "id": "106843" }, { "db": "VULMON", "id": "CVE-2019-6109" }, { "db": "PACKETSTORM", "id": "152154" }, { "db": "PACKETSTORM", "id": "155158" }, { "db": "PACKETSTORM", "id": "151175" }, { "db": "PACKETSTORM", "id": "151601" } ], "trust": 2.34 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2019-6109", "trust": 3.2 }, { "db": "SIEMENS", "id": "SSA-412672", "trust": 1.7 }, { "db": "JVNDB", "id": "JVNDB-2019-001217", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "152154", "trust": 0.7 }, { "db": "AUSCERT", "id": "ESB-2019.1255", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.1280.2", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.1280", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.1270", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.0410.3", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.0605", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3698", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.1420", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-201901-467", "trust": 0.6 }, { "db": "BID", "id": "106843", "trust": 0.3 }, { "db": "ICS CERT", "id": "ICSA-22-349-21", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2019-6109", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "155158", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "151175", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "151601", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-6109" }, { "db": "BID", "id": "106843" }, { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "PACKETSTORM", "id": "152154" }, { "db": "PACKETSTORM", "id": "155158" }, { "db": "PACKETSTORM", "id": "151175" }, { "db": "PACKETSTORM", "id": "151601" }, { "db": "NVD", "id": "CVE-2019-6109" }, { "db": "CNNVD", "id": "CNNVD-201901-467" } ] }, "id": "VAR-201901-0010", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.6178670799999999 }, "last_update_date": "2023-12-18T11:24:25.381000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "CVS log for src/usr.bin/ssh/progressmeter.c", "trust": 0.8, "url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c" }, { "title": "CVS log for src/usr.bin/ssh/scp.c", "trust": 0.8, "url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c" }, { "title": "OpenSSH Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=88613" }, { "title": "The Register", "trust": 0.2, "url": "https://www.theregister.co.uk/2019/01/15/scp_vulnerability/" }, { "title": "Red Hat: Moderate: openssh security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20193702 - security advisory" }, { "title": "Ubuntu Security Notice: openssh vulnerabilities", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-3885-1" }, { "title": "Debian CVElist Bug Report Logs: openssh-client: scp can send arbitrary control characters / escape sequences to the terminal (CVE-2019-6109)", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=dffe92fd93b8f745f5f15bc2f29dc935" }, { "title": "Debian CVElist Bug Report Logs: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=74b791ca4fdf54c27d2b50ef6845ef8e" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2019-6109" }, { "title": "Debian CVElist Bug Report Logs: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=8394bb17731a99ef76b185cbc70acfa3" }, { "title": "Amazon Linux AMI: ALAS-2019-1313", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2019-1313" }, { "title": "Amazon Linux 2: ALAS2-2019-1216", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2019-1216" }, { "title": "IBM: IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111) Security Bulletin", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=50a54c2fb43b489f64442dcf4f25bc3b" }, { "title": "IBM: Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (February 2020v1)", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=979e60202a29c3c55731e37f8ddc5a3b" }, { "title": "IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches \u2013 Releases 1801-w and 1801-y", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=bf3f2299a8658b7cd3984c40e7060666" }, { "title": "Siemens Security Advisories: Siemens Security Advisory", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=ec6577109e640dac19a6ddb978afe82d" }, { "title": "", "trust": 0.1, "url": "https://github.com/live-hack-cve/cve-2019-6109 " }, { "title": "", "trust": 0.1, "url": "https://github.com/h4xrox/direct-admin-vulnerability-disclosure " }, { "title": "", "trust": 0.1, "url": "https://github.com/numaan911098/leadgenapp-bug-report " }, { "title": "DC-4-Vulnhub-Walkthrough", "trust": 0.1, "url": "https://github.com/vshaliii/dc-4-vulnhub-walkthrough " }, { "title": "nmap", "trust": 0.1, "url": "https://github.com/devairdarolt/nmap " }, { "title": "TrivyWeb", "trust": 0.1, "url": "https://github.com/korayagaya/trivyweb " }, { "title": "github_aquasecurity_trivy", "trust": 0.1, "url": "https://github.com/back8/github_aquasecurity_trivy " }, { "title": "Funbox2-rookie", "trust": 0.1, "url": "https://github.com/vaishali1998/funbox2-rookie " }, { "title": "trivy", "trust": 0.1, "url": "https://github.com/simiyo/trivy " }, { "title": "security", "trust": 0.1, "url": "https://github.com/umahari/security " }, { "title": "", "trust": 0.1, "url": "https://github.com/mohzeela/external-secret " }, { "title": "Vulnerability-Scanner-for-Containers", "trust": 0.1, "url": "https://github.com/t31m0/vulnerability-scanner-for-containers " }, { "title": "trivy", "trust": 0.1, "url": "https://github.com/aquasecurity/trivy " }, { "title": "trivy", "trust": 0.1, "url": "https://github.com/knqyf263/trivy " }, { "title": "trivy", "trust": 0.1, "url": "https://github.com/siddharthraopotukuchi/trivy " }, { "title": "Basic-Pentesting-2-Vulnhub-Walkthrough", "trust": 0.1, "url": "https://github.com/vshaliii/basic-pentesting-2-vulnhub-walkthrough " }, { "title": "", "trust": 0.1, "url": "https://github.com/bioly230/thm_skynet " }, { "title": "Basic-Pentesting-2", "trust": 0.1, "url": "https://github.com/vshaliii/basic-pentesting-2 " } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-6109" }, { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "CNNVD", "id": "CNNVD-201901-467" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-116", "trust": 1.0 }, { "problemtype": "CWE-284", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "NVD", "id": "CVE-2019-6109" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://access.redhat.com/errata/rhsa-2019:3702" }, { "trust": 2.3, "url": "https://www.debian.org/security/2019/dsa-4387" }, { "trust": 2.1, "url": "https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt" }, { "trust": 1.8, "url": "https://usn.ubuntu.com/3885-1/" }, { "trust": 1.8, "url": "https://security.gentoo.org/glsa/201903-16" }, { "trust": 1.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6109" }, { "trust": 1.7, "url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c" }, { "trust": 1.7, "url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c" }, { "trust": 1.7, "url": "https://security.netapp.com/advisory/ntap-20190213-0001/" }, { "trust": 1.7, "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html" }, { "trust": 1.7, "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html" }, { "trust": 1.7, "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "trust": 1.7, "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf" }, { "trust": 1.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/w3yvq2bptovdcfdvnc2ggf5p5isfg37g/" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6109" }, { "trust": 0.6, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/w3yvq2bptovdcfdvnc2ggf5p5isfg37g/" }, { "trust": 0.6, "url": "https://www.suse.com/support/update/announcement/2019/suse-su-201914030-1.html" }, { "trust": 0.6, "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190941-1.html" }, { "trust": 0.6, "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190496-1.html" }, { "trust": 0.6, "url": "https://www.suse.com/support/update/announcement/2019/suse-su-201914016-1.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/76170" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/152154/gentoo-linux-security-advisory-201903-16.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/75338" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.1280.2/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3698" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/78994" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.1280/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/78934" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/79690" }, { "trust": 0.6, "url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10882554" }, { "trust": 0.4, "url": "https://access.redhat.com/security/cve/cve-2019-6109" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6111" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20685" }, { "trust": 0.3, "url": "http://www.openssh.org/" }, { "trust": 0.3, "url": "https://support.f5.com/csp/article/k12252011" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6110" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/116.html" }, { "trust": 0.1, "url": "https://tools.cisco.com/security/center/viewalert.x?alertid=59542" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21" }, { "trust": 0.1, "url": "https://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "https://security.gentoo.org/" }, { "trust": 0.1, "url": "https://bugs.gentoo.org." }, { "trust": 0.1, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-6111" }, { "trust": 0.1, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.1, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.1, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.1, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-20685" }, { "trust": 0.1, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20684" }, { "trust": 0.1, "url": "https://sintonen.fi/advisories/scp-name-validator.patch" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2000-0992" }, { "trust": 0.1, "url": "https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access" }, { "trust": 0.1, "url": "https://www.debian.org/security/faq" }, { "trust": 0.1, "url": "https://security-tracker.debian.org/tracker/openssh" }, { "trust": 0.1, "url": "https://www.debian.org/security/" } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-6109" }, { "db": "BID", "id": "106843" }, { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "PACKETSTORM", "id": "152154" }, { "db": "PACKETSTORM", "id": "155158" }, { "db": "PACKETSTORM", "id": "151175" }, { "db": "PACKETSTORM", "id": "151601" }, { "db": "NVD", "id": "CVE-2019-6109" }, { "db": "CNNVD", "id": "CNNVD-201901-467" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2019-6109" }, { "db": "BID", "id": "106843" }, { "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "db": "PACKETSTORM", "id": "152154" }, { "db": "PACKETSTORM", "id": "155158" }, { "db": "PACKETSTORM", "id": "151175" }, { "db": "PACKETSTORM", "id": "151601" }, { "db": "NVD", "id": "CVE-2019-6109" }, { "db": "CNNVD", "id": "CNNVD-201901-467" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2019-01-31T00:00:00", "db": "VULMON", "id": "CVE-2019-6109" }, { "date": "2019-01-11T00:00:00", "db": "BID", "id": "106843" }, { "date": "2019-02-14T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "date": "2019-03-20T16:09:02", "db": "PACKETSTORM", "id": "152154" }, { "date": "2019-11-06T15:55:27", "db": "PACKETSTORM", "id": "155158" }, { "date": "2019-01-16T15:04:39", "db": "PACKETSTORM", "id": "151175" }, { "date": "2019-02-11T16:13:15", "db": "PACKETSTORM", "id": "151601" }, { "date": "2019-01-31T18:29:00.710000", "db": "NVD", "id": "CVE-2019-6109" }, { "date": "2019-01-15T00:00:00", "db": "CNNVD", "id": "CNNVD-201901-467" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-11-07T00:00:00", "db": "VULMON", "id": "CVE-2019-6109" }, { "date": "2019-01-11T00:00:00", "db": "BID", "id": "106843" }, { "date": "2019-02-14T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-001217" }, { "date": "2023-11-07T03:13:05.160000", "db": "NVD", "id": "CVE-2019-6109" }, { "date": "2022-12-14T00:00:00", "db": "CNNVD", "id": "CNNVD-201901-467" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "PACKETSTORM", "id": "152154" }, { "db": "CNNVD", "id": "CNNVD-201901-467" } ], "trust": 0.7 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "OpenSSH Access control vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-001217" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "access control error", "sources": [ { "db": "CNNVD", "id": "CNNVD-201901-467" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.