Lucene search
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2019-6111.NASLHistoryMar 24, 2023 - 12:00 a.m.
Siemens SCALANCE X-200RNA Switch Devices Path Traversal (CVE-2019-6111)
2023-03-2400:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
19
6.8 Medium
AI Score
Confidence
High
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
- An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). (CVE-2019-6111)
This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500898);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/04");
script_cve_id("CVE-2019-6111");
script_xref(name:"EDB-ID", value:"46193");
script_xref(name:"USN", value:"USN-3885-1");
script_xref(name:"USN", value:"USN-3885-2");
script_xref(name:"DSA", value:"DSA-4387");
script_xref(name:"GLSA", value:"GLSA-201903-16");
script_xref(name:"FEDORA", value:"FEDORA-2019-0f4190cdb0");
script_xref(name:"SuSE", value:"openSUSE-SU-2019:1602");
script_xref(name:"FREEBSD", value:"FreeBSD-EN-19:10");
script_xref(name:"RHSA", value:"RHSA-2019:3702");
script_name(english:"Siemens SCALANCE X-200RNA Switch Devices Path Traversal (CVE-2019-6111)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses
which files/directories are sent to the client. However, the scp client only performs cursory validation of the object
name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker)
can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server
can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
- An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the
server chooses which files/directories are sent to the client. However, the scp client only performs
cursory validation of the object name returned (only directory traversal attacks are prevented). A
malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client
target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as
well (for example, to overwrite the .ssh/authorized_keys file). (CVE-2019-6111)
This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.");
# https://lists.apache.org/thread.html/c45d9bc90700354b58fb7455962873c44229841880dcb64842fa7d23%40%3Cdev.mina.apache.org%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3636e0a7");
# https://lists.apache.org/thread.html/e47597433b351d6e01a5d68d610b4ba195743def9730e49561e8cf3f%40%3Cdev.mina.apache.org%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d26567d");
script_set_attribute(attribute:"see_also", value:"https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt");
script_set_attribute(attribute:"see_also", value:"https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c");
script_set_attribute(attribute:"see_also", value:"https://www.exploit-db.com/exploits/46193/");
script_set_attribute(attribute:"see_also", value:"https://usn.ubuntu.com/3885-1/");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4387");
script_set_attribute(attribute:"see_also", value:"https://security.netapp.com/advisory/ntap-20190213-0001/");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1677794");
script_set_attribute(attribute:"see_also", value:"https://usn.ubuntu.com/3885-2/");
script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/201903-16");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html");
script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2019/04/18/1");
# https://lists.apache.org/thread.html/c7301cab36a86825359e1b725fc40304d1df56dc6d107c1fe885148b%40%3Cdev.mina.apache.org%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c601aafc");
# https://lists.apache.org/thread.html/d540139359de999b0f1c87d05b715be4d7d4bec771e1ae55153c5c7a%40%3Cdev.mina.apache.org%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?af028629");
# https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e31ba540");
script_set_attribute(attribute:"see_also", value:"https://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.asc");
# https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b370bc74");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:3702");
script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2022/08/02/1");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6111");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(22);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/31");
script_set_attribute(attribute:"patch_publication_date", value:"2019/01/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/24");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_x204rna_eec_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_x204rna_firmware");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:scalance_x204rna_firmware" :
{"versionEndExcluding" : "3.2.7", "family" : "SCALANCEX200"},
"cpe:/o:siemens:scalance_x204rna_eec_firmware" :
{"versionEndExcluding" : "3.2.7", "family" : "SCALANCEX200"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| siemens | scalance_x204rna_firmware | cpe:/o:siemens:scalance_x204rna_firmware | |
| siemens | scalance_x204rna_eec_firmware | cpe:/o:siemens:scalance_x204rna_eec_firmware |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
www.nessus.org/u?3636e0a7
www.nessus.org/u?4d26567d
www.nessus.org/u?af028629
www.nessus.org/u?b370bc74
www.nessus.org/u?c601aafc
www.nessus.org/u?e31ba540
www.openwall.com/lists/oss-security/2019/04/18/1
www.openwall.com/lists/oss-security/2022/08/02/1
access.redhat.com/errata/RHSA-2019:3702
bugzilla.redhat.com/show_bug.cgi?id=1677794
cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
cvsweb.openbsd.org/src/usr.bin/ssh/scp.c
lists.debian.org/debian-lts-announce/2019/03/msg00030.html
security.gentoo.org/glsa/201903-16
security.netapp.com/advisory/ntap-20190213-0001/
sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
usn.ubuntu.com/3885-1/
usn.ubuntu.com/3885-2/
www.debian.org/security/2019/dsa-4387
www.exploit-db.com/exploits/46193/
www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.asc
Related
redhatcve
redhatcve
CVE-2019-6111
2019-01-15 00:50:26
CVE-2019-25017
2021-02-10 17:35:41
debiancve
debiancve
CVE-2019-6111
2019-01-31 18:29:00
CVE-2019-7283
2019-01-31 18:29:00
nessus
nessus
F5 Networks BIG-IP : OpenSSH vulnerability (K21350967)
2022-11-08 00:00:00
EulerOS 2.0 SP5 : openssh (EulerOS-SA-2019-1324)
2019-05-06 00:00:00
f5
f5
K21350967 : OpenSSH vulnerability CVE-2019-6111
2019-01-17 00:00:00
K31781390 : January 2019 OpenSSH security vulnerabilities
2019-01-17 00:00:00
veracode
veracode
Arbitrary File Overwrite
2019-11-06 00:21:13
ubuntu
ubuntu
OpenSSH vulnerability
2019-03-04 00:00:00
OpenSSH vulnerabilities
2019-02-07 00:00:00
prion
prion
Directory traversal
2019-01-31 18:29:00
Input validation
2019-01-31 18:29:00
Directory traversal
2021-02-02 18:15:00
osv
osv
openssh - security update
2019-03-02 00:00:00
CVE-2019-6111
2019-01-31 18:29:00
CVE-2019-25017
2021-02-02 18:15:10
debian
debian
[SECURITY] [DSA 4387-2] openssh security update
2019-03-02 13:13:47
[SECURITY] [DLA 1728-1] openssh security update
2019-03-25 13:48:12
[SECURITY] [DSA 4387-1] openssh security update
2019-02-09 13:30:13
alpinelinux
alpinelinux
CVE-2019-6111
2019-01-31 18:29:00
cve
cve
ubuntucve
ubuntucve
cloudfoundry
cloudfoundry
USN-3885-2: OpenSSH vulnerability | Cloud Foundry
2019-04-25 00:00:00
USN-3885-1: OpenSSH vulnerabilities | Cloud Foundry
2019-02-15 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3885-2)
2019-03-05 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:14030-1)
2021-06-09 00:00:00
openSUSE: Security Advisory for openssh (openSUSE-SU-2019:1602-1)
2019-06-25 00:00:00
zdt
zdt
OpenSSH SCP Client - Write Arbitrary Files Exploit
2019-03-08 00:00:00
attackerkb
attackerkb
CVE-2019-6111
2019-01-31 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: openssh-8.0p1-1.fc30
2019-05-04 00:17:35
suse
suse
Security update for openssh (moderate)
2019-03-08 00:00:00
Security update for openssh (moderate)
2019-06-24 00:00:00
Security update for openssh (important)
2019-01-28 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package openssh version 7.9p1-alt4.p10.1
2022-03-23 00:00:00
mageia
mageia
Updated openssh packages fix security vulnerabilities
2019-05-12 12:35:33
Updated rsh packages fix security vulnerability
2021-11-25 16:06:13
Updated krb5-appl packages fix security vulnerabilities
2021-04-24 01:53:14
exploitpack
exploitpack
OpenSSH SCP Client - Write Arbitrary Files
2019-01-11 00:00:00
SCP Client - Multiple Vulnerabilities (SSHtranger Things)
2019-01-18 00:00:00
packetstorm
packetstorm
SSHtranger Things SCP Client File Issue
2019-01-18 00:00:00
amazon
amazon
Medium: openssh
2023-08-03 20:16:00
Medium: openssh
2023-08-03 18:29:00
Medium: openssh
2019-10-28 17:02:00
oraclelinux
oraclelinux
openssh security, bug fix, and enhancement update
2019-11-14 00:00:00
archlinux
archlinux
[ASA-201904-11] openssh: multiple issues
2019-04-24 00:00:00
ibm
ibm
exploitdb
exploitdb
SCP Client - Multiple Vulnerabilities (SSHtranger Things)
2019-01-18 00:00:00
OpenSSH SCP Client - Write Arbitrary Files
2019-01-11 00:00:00
redhat
redhat
(RHSA-2019:3702) Moderate: openssh security, bug fix, and enhancement update
2019-11-05 20:52:47
gentoo
gentoo
OpenSSH: Multiple vulnerabilities
2019-03-20 00:00:00
thn
thn
36-Year-Old SCP Clients' Implementation Flaws Discovered
2019-01-15 12:32:00
symantec
symantec
OpenSSH Vulnerabilities Jan-Oct 2019
2020-04-21 20:41:25
aix
aix
Vulnerabilities in OpenSSH affect AIX.
2019-07-16 09:38:57
photon
photon
Home
Download Photon OS
User Documentation
FAQ
Security Advisories
Related Information
Lightwave - PHSA-2019-2.0-0159
2019-05-10 00:00:00
Critical Photon OS Security Update - PHSA-2019-0014
2019-05-11 00:00:00
Critical Photon OS Security Update - PHSA-2019-3.0-0014
2019-05-11 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2021-1938
2021-07-02 17:38:20
kitploit
kitploit
ics
ics
Siemens SCALANCE X-200RNA Switch Devices
2022-12-19 12:00:00
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
2023-12-14 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2019
2020-01-22 00:00:00