#11693: Create security patch for OpenSSH (CVE-2018-20685)
-------------------------+-----------------------
Reporter: renodr | Owner: blfs-book
Type: enhancement | Status: new
Priority: highest | Milestone: 8.4
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-----------------------
There is an authentication bypass issue in OpenSSH, done by adding a . or
a blank filename in SCP:
{{{
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to
bypass intended access restrictions via the filename of . or an empty
filename.
}}}
[https://github.com/openssh/openssh-
portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2]
Here's the advisory text that I received:
{{{
scp client multiple vulnerabilities
===================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Overview
--------
SCP clients from multiple vendors are susceptible to a malicious scp
server performing
unauthorized changes to target directory and/or client output
manipulation.
Description
-----------
Many scp clients fail to verify if the objects returned by the scp server
match those
it asked for. This issue dates back to 1983 and rcp, on which scp is
based. A separate
flaw in the client allows the target directory attributes to be changed
arbitrarily.
Finally, two vulnerabilities in clients may allow server to spoof the
client output.
Impact
------
Malicious scp server can write arbitrary files to scp target directory,
change the
target directory permissions and to spoof the client output.
Details
-------
The discovered vulnerabilities, described in more detail below, enables
the attack
described here in brief.
1. The attacker controlled server or Man-in-the-Middle(*) attack drops
.bash_aliases
file to victim's home directory when the victim performs scp operation
from the
server. The transfer of extra files is hidden by sending ANSI control
sequences
via stderr. For example:
user@local:~$ scp user@remote:readme.txt .
readme.txt 100% 494
1.6KB/s 00:00
user@local:~$
2. Once the victim launches a new shell, the malicious commands in
.bash_aliases get
executed.
*) Man-in-the-Middle attack does require the victim to accept the wrong
host
fingerprint.
Vulnerabilities
---------------
1. CWE-20: scp client improper directory name validation [CVE-2018-20685]
The scp client allows server to modify permissions of the target directory
by using empty
("D0777 0 \n") or dot ("D0777 0 .\n") directory name.
2. CWE-20: scp client missing received object name validation
[CVE-2019-6111]
Due to the scp implementation being derived from 1983 rcp [1], the server
chooses which
files/directories are sent to the client. However, scp client only perform
cursory
validation of the object name returned (only directory traversal attacks
are prevented).
A malicious scp server can overwrite arbitrary files in the scp client
target directory.
If recursive operation (-r) is performed, the server can manipulate
subdirectories
as well (for example overwrite .ssh/authorized_keys).
The same vulnerability in WinSCP is known as CVE-2018-20684.
3. CWE-451: scp client spoofing via object name [CVE-2019-6109]
Due to missing character encoding in the progress display, the object name
can be used
to manipulate the client output, for example to employ ANSI codes to hide
additional
files being transferred.
4. CWE-451: scp client spoofing via stderr [CVE-2019-6110]
Due to accepting and displaying arbitrary stderr output from the scp
server, a
malicious server can manipulate the client output, for example to employ
ANSI codes
to hide additional files being transferred.
Proof-of-Concept
----------------
Proof of concept malicious scp server will be released at a later date.
Vulnerable versions
-------------------
The following software packages have some or all vulnerabilities:
ver #1 #2 #3 #4
OpenSSH scp <=7.9 x x x x
PuTTY PSCP ? - - x x
WinSCP scp mode <=5.13 - x - -
Tectia SSH scpg3 is not affected since it exclusively uses sftp protocol.
Mitigation
----------
1. OpenSSH
1.1 Switch to sftp if possible
1.2 Apply the following patches to scp:
CVE-2018-20685:
https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2
CVE-2019-6109:
https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c
CVE-2019-6111:
https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
1.3 Alternatively apply the following patch to harden scp against most
server-side
manipulation attempts: https://sintonen.fi/advisories/scp-name-
validator.patch
NOTE: This unofficial patch may cause problems if the the remote and
local shells
don't agree on the way glob() pattern matching works. YMMV.
2. PuTTY
2.1 No fix is available yet
3. WinSCP
3.1. Upgrade to WinSCP 5.14 or later
Similar or prior work
---------------------
1. CVE-2000-0992 - scp overwrites arbitrary files
References
----------
1. https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access
Issue tracking
--------------
Arch Linux
https://security.archlinux.org/CVE-2018-20685
Debian GNU/Linux
https://security-tracker.debian.org/tracker/CVE-2019-6111
https://security-tracker.debian.org/tracker/CVE-2018-20685
https://security-tracker.debian.org/tracker/CVE-2019-6109
https://security-tracker.debian.org/tracker/CVE-2019-6110
Gentoo Linux
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2019-6111
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2019-6109
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2019-6110
Red Hat Linux
https://access.redhat.com/security/cve/cve-2019-6111
https://access.redhat.com/security/cve/cve-2018-20685
https://access.redhat.com/security/cve/cve-2019-6109
https://access.redhat.com/security/cve/cve-2019-6110
SUSE Linux
https://www.suse.com/security/cve/CVE-2019-6111
https://www.suse.com/security/cve/CVE-2018-20685
https://www.suse.com/security/cve/CVE-2019-6109
https://www.suse.com/security/cve/CVE-2019-6110
Ubuntu
https://people.canonical.com/~ubuntu-
security/cve/2019/CVE-2019-6111.html
https://people.canonical.com/~ubuntu-
security/cve/2018/CVE-2018-20685.html
https://people.canonical.com/~ubuntu-
security/cve/2019/CVE-2019-6109.html
https://people.canonical.com/~ubuntu-
security/cve/2019/CVE-2019-6110.html
WinSCP
https://www.cvedetails.com/cve/CVE-2018-20684
PuTTY PSCP
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pscp-
unsanitised-server-output.html
Credits
-------
These vulnerabilities were discovered by Harry Sintonen / F-Secure
Corporation.
Timeline
--------
2018.08.08 initial discovery of vulnerabilities #1 and #2
2018.08.09 reported vulnerabilities #1 and #2 to OpenSSH
2018.08.10 OpenSSH acknowledged the vulnerabilities
2018.08.14 discovered & reported vulnerability #3 to OpenSSH
2018.08.15 discovered & reported vulnerability #4 to OpenSSH
2018.08.30 reported PSCP vulnerabilities (#3 and #4) to PuTTY developers
2018.08.31 reported WinSCP vulnerability (#2) to WinSCP developers
2018.09.04 WinSCP developers reported the vulnerability #2 fixed
2018.11.12 requested a status update from OpenSSH
2018.11.16 OpenSSH fixed vulnerability #1
2019.01.07 requested a status update from OpenSSH
2019.01.08 requested CVE assignments from MITRE
2019.01.10 received CVE assignments from MITRE
2019.01.11 public disclosure of the advisory
2019.01.14 added a warning about the potential issues caused by the patch
2019.01.15 added issue tracking section (Arch, Debian, Red Hat, SUSE,
Ubuntu)
2019.01.15 fixed patch for BROKEN_ONE_BYTE_DIRENT_D_NAME
2019.01.17 updated Ubuntu issue tracking, added Gentoo issue tracking
2019.02.01 added PuTTY PSCP issue tracking
2019.02.09 added links to official patches to mitigation section
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/11693>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
