Debian update for openssh

Published: 2019-02-11 09:59:42
Severity Low
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2018-20685
CVE-2019-6109
CVE-2019-6111
CVSSv3 6.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
3.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CWE ID CWE-284
CWE-451
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software openssh (Debian package)
Vulnerable software versions openssh (Debian package) 1:7.4p1-10+deb9u4
openssh (Debian package) 1:7.4p1-10+deb9u3
openssh (Debian package) 1:7.4p1-10+deb9u2

Show more

Vendor URL Debian

Security Advisory

1) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper validation of filenames by the scp.c source code file in the SCP client . A remote unauthenticated attacker can trick the victim into accessing a file with the filename of . or an empty filename from an attacker-controlled Secure Shell (SSH) server to bypass access restrictions on the system, which could be used to conduct further attacks.

Remediation

Update the affected package to version: 1:7.4p1-10+deb9u5

External links

https://www.debian.org/security/2019/dsa-4387

2) Spoofing attack

Description

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The weakness exists due to accepting and displaying arbitrary stderr output from the scp server by the scp client. A malicious SCP server can use the object name to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

Remediation

Update the affected package to version: 1:7.4p1-10+deb9u5

External links

https://www.debian.org/security/2019/dsa-4387

3) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to missing received object name validation by the scp client. A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).


Remediation

Update the affected package to version: 1:7.4p1-10+deb9u5

External links

https://www.debian.org/security/2019/dsa-4387

Back to List