#VU16990 Spoofing attack in WinSCP


Published: 2019-01-15

Vulnerability identifier: #VU16990

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6109

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
WinSCP
Client/Desktop applications / File managers, FTP clients

Vendor: winscp.sourceforge.net

Description
The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The weakness exists due to accepting and displaying arbitrary stderr output from the scp server by the scp client. A malicious SCP server can use the object name to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

Mitigation
Update to version 5.14.

Vulnerable software versions

WinSCP: 5.0 - 5.13.7

External links
http://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SolarWinds Security Event Manager (SEM) update for third-party components
Multiple vulnerabilities in Dell EMC Unity Family
SolarWinds Security Event Manager (SEM) update for third-party components
Red Hat update for openssh
Amazon Linux AMI update for openssh
OpenSUSE Linux update for openssh
Gentoo update for OpenSSH
OpenSUSE Linux update for openssh
Spoofing attack in openssh (Alpine package)
Debian update for openssh