Debian update for openssh

Published: 2019-02-11
Severity Low
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2018-20685
CVE-2019-6109
CVE-2019-6111
CWE ID CWE-284
CWE-451
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software openssh (Debian package) Subscribe
Vendor Debian

Security Advisory

1) Security restrictions bypass

Severity: Low

CVSSv3: 6.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-20685

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper validation of filenames by the scp.c source code file in the SCP client . A remote unauthenticated attacker can trick the victim into accessing a file with the filename of . or an empty filename from an attacker-controlled Secure Shell (SSH) server to bypass access restrictions on the system, which could be used to conduct further attacks.

Mitigation

Update the affected package to version: 1:7.4p1-10+deb9u5

Vulnerable software versions

openssh (Debian package): 1:7.1p1-1, 1:7.1p1-2, 1:7.1p1-3, 1:7.1p1-4, 1:7.1p1-5, 1:7.1p1-6, 1:7.1p2-1, 1:7.1p2-2, 1:7.2p1-1, 1:7.2p2-1, 1:7.2p2-2, 1:7.2p2-3, 1:7.2p2-4, 1:7.2p2-5, 1:7.2p2-6, 1:7.2p2-7, 1:7.2p2-8, 1:7.3p1-1, 1:7.3p1-2, 1:7.3p1-3, 1:7.3p1-4, 1:7.3p1-5, 1:7.4p1-1, 1:7.4p1-2, 1:7.4p1-3, 1:7.4p1-4, 1:7.4p1-5, 1:7.4p1-6, 1:7.4p1-7, 1:7.4p1-8, 1:7.4p1-9, 1:7.4p1-10, 1:7.4p1-10+deb9u1, 1:7.4p1-10+deb9u2, 1:7.4p1-10+deb9u3, 1:7.4p1-10+deb9u4

CPE External links

https://www.debian.org/security/2019/dsa-4387

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

Severity: Low

CVSSv3: 3.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6109

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Description

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The weakness exists due to accepting and displaying arbitrary stderr output from the scp server by the scp client. A malicious SCP server can use the object name to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

Mitigation

Update the affected package to version: 1:7.4p1-10+deb9u5

Vulnerable software versions

openssh (Debian package): 1:7.1p1-1, 1:7.1p1-2, 1:7.1p1-3, 1:7.1p1-4, 1:7.1p1-5, 1:7.1p1-6, 1:7.1p2-1, 1:7.1p2-2, 1:7.2p1-1, 1:7.2p2-1, 1:7.2p2-2, 1:7.2p2-3, 1:7.2p2-4, 1:7.2p2-5, 1:7.2p2-6, 1:7.2p2-7, 1:7.2p2-8, 1:7.3p1-1, 1:7.3p1-2, 1:7.3p1-3, 1:7.3p1-4, 1:7.3p1-5, 1:7.4p1-1, 1:7.4p1-2, 1:7.4p1-3, 1:7.4p1-4, 1:7.4p1-5, 1:7.4p1-6, 1:7.4p1-7, 1:7.4p1-8, 1:7.4p1-9, 1:7.4p1-10, 1:7.4p1-10+deb9u1, 1:7.4p1-10+deb9u2, 1:7.4p1-10+deb9u3, 1:7.4p1-10+deb9u4

CPE External links

https://www.debian.org/security/2019/dsa-4387

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Security restrictions bypass

Severity: Low

CVSSv3: 5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-6111

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to missing received object name validation by the scp client. A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).


Mitigation

Update the affected package to version: 1:7.4p1-10+deb9u5

Vulnerable software versions

openssh (Debian package): 1:7.1p1-1, 1:7.1p1-2, 1:7.1p1-3, 1:7.1p1-4, 1:7.1p1-5, 1:7.1p1-6, 1:7.1p2-1, 1:7.1p2-2, 1:7.2p1-1, 1:7.2p2-1, 1:7.2p2-2, 1:7.2p2-3, 1:7.2p2-4, 1:7.2p2-5, 1:7.2p2-6, 1:7.2p2-7, 1:7.2p2-8, 1:7.3p1-1, 1:7.3p1-2, 1:7.3p1-3, 1:7.3p1-4, 1:7.3p1-5, 1:7.4p1-1, 1:7.4p1-2, 1:7.4p1-3, 1:7.4p1-4, 1:7.4p1-5, 1:7.4p1-6, 1:7.4p1-7, 1:7.4p1-8, 1:7.4p1-9, 1:7.4p1-10, 1:7.4p1-10+deb9u1, 1:7.4p1-10+deb9u2, 1:7.4p1-10+deb9u3, 1:7.4p1-10+deb9u4

CPE External links

https://www.debian.org/security/2019/dsa-4387

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.