#VU16988 Security restrictions bypass in WinSCP


Published: 2020-05-12 | Updated: 2021-06-17

Vulnerability identifier: #VU16988

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-6111

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
WinSCP
Client/Desktop applications / File managers, FTP clients

Vendor: winscp.sourceforge.net

Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to missing received object name validation by the scp client. A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).


Mitigation
Update to version 5.14.

Vulnerable software versions

WinSCP: 5.0 - 5.13.7

External links
http://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


SolarWinds Security Event Manager (SEM) update for third-party components
Multiple vulnerabilities in Dell EMC Unity Family
Security restrictions bypass in Dell EMC Isilon OneFS
SolarWinds Security Event Manager (SEM) update for third-party components
Red Hat update for openssh
Amazon Linux AMI update for openssh
OpenSUSE Linux update for openssh
Arch Linux update for openssh
Gentoo update for OpenSSH
OpenSUSE Linux update for openssh