ArchLinux: 201904-11: openssh: multiple issues

    Date26 Apr 2019
    CategoryArchLinux
    744
    Posted ByLinuxSecurity Advisories
    The package openssh before version 8.0p1-1 is vulnerable to multiple issues including insufficient validation, arbitrary file overwrite and content spoofing.
    Arch Linux Security Advisory ASA-201904-11
    ==========================================
    
    Severity: High
    Date    : 2019-04-24
    CVE-ID  : CVE-2018-20685 CVE-2019-6109 CVE-2019-6111
    Package : openssh
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-951
    
    Summary
    =======
    
    The package openssh before version 8.0p1-1 is vulnerable to multiple
    issues including insufficient validation, arbitrary file overwrite and
    content spoofing.
    
    Resolution
    ==========
    
    Upgrade to 8.0p1-1.
    
    # pacman -Syu "openssh>=8.0p1-1"
    
    The problems have been fixed upstream in version 8.0p1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2018-20685 (insufficient validation)
    
    In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to
    bypass intended access restrictions via the filename of . or an empty
    filename.
    
    - CVE-2019-6109 (content spoofing)
    
    An issue was discovered in OpenSSH 7.9. Due to missing character
    encoding in the progress display, a malicious server (or Man-in-The-
    Middle attacker) can employ crafted object names to manipulate the
    client output, e.g., by using ANSI control codes to hide additional
    files being transferred. This affects refresh_progress_meter() in
    progressmeter.c.
    
    - CVE-2019-6111 (arbitrary file overwrite)
    
    An issue was discovered in OpenSSH 7.9. Due to the scp implementation
    being derived from 1983 rcp, the server chooses which files/directories
    are sent to the client. However, the scp client only performs cursory
    validation of the object name returned (only directory traversal
    attacks are prevented). A malicious scp server (or Man-in-The-Middle
    attacker) can overwrite arbitrary files in the scp client target
    directory. If recursive operation (-r) is performed, the server can
    manipulate subdirectories as well (for example, to overwrite the
    .ssh/authorized_keys file).
    
    Impact
    ======
    
    A malicious SCP server can overwrite arbitrary files in the scp client
    target directory.
    
    References
    ==========
    
    https://www.openssh.com/txt/release-8.0
    https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198&f=h
    https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
    https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
    https://github.com/openssh/openssh-portable/commit/8976f1c4b2721c26e878151f52bdf346dfe2d54c
    https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
    https://security.archlinux.org/CVE-2018-20685
    https://security.archlinux.org/CVE-2019-6109
    https://security.archlinux.org/CVE-2019-6111
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"1","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"67","title":"HOWTOs","votes":"2","type":"x","order":"3","pct":66.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.