CVE-2019-6111

5.9MEDIUM

Key Information:

Vendor
OpenBSD
Status
Openssh
Winscp
Vendor
CVE Published:
31 January 2019

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

SNP
Created by 53n7hu

References

https://www.debian.org/security/2019/dsa-4387
vendor-advisory
https://security.netapp.com/advisory/ntap-20190213-0001/
http://www.securityfocus.com/bid/106741
vdb-entry

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.