In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in- The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

  - In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious     server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control     codes to hide additional files being transferred. (CVE-2019-6110)

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.10 / 16.1.4 / 17.1.1. It is, therefore, affected by a vulnerability as referenced in the K42531048 advisory.

  - In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious     server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control     codes to hide additional files being transferred. (CVE-2019-6110)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of OpenSSH running on the remote host is prior to 8.0. It is, therefore, affected by the following vulnerabilities:

  - A permission bypass vulnerability due to improper directory name validation. An unauthenticated, remote     attacker can exploit this, with a specially crafted scp server, to change the permission of a directory     on the client. (CVE-2018-20685)

  - Multiple arbitrary file downloads due to improper validation of object name and stderr output. An unauthenticated     remote attacker can exploit this, with a specially crafted scp server, to include additional hidden     files in the transfer. (CVE-2019-6109, CVE-2019-6110)

  - An arbitrary file write vulnerability due to improper object name validation. An unauthenticated, remote     attacker can exploit this, with a specially crafted scp server, to overwrite arbitrary files in the     client directory. (CVE-2019-6111)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The installed version of OpenSSH is prior to 8.0 and is affected by multiple vulnerabilities:

 - The scp client allows remote SSH servers to bypass intended access restrictions via the filename of '.'' or an empty filename. The impact is modifying the permissions of the target directory on the client side. (CVE-2018-20685)
 - Due to missing character encoding in the progress display, a malicious server can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects 'refresh_progress_meter()' in progressmeter.c. (CVE-2019-6109)
 - Due to accepting and displaying arbitrary stderr output from the server, a malicious server can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. (CVE-2019-6110)
 - A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). (CVE-2019-6111)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities:

  - In OpenSSH 7.9, scp.c in the scp client allows remote     SSH servers to bypass intended access restrictions via     the filename of . or an empty filename. The impact is     modifying the permissions of the target directory on the     client side. (CVE-2018-20685)

  - An issue was discovered in OpenSSH 7.9. Due to missing     character encoding in the progress display, a malicious     server (or Man-in-The-Middle attacker) can employ     crafted object names to manipulate the client output,     e.g., by using ANSI control codes to hide additional     files being transferred. This affects     refresh_progress_meter() in progressmeter.c.
    (CVE-2019-6109)

  - In OpenSSH 7.9, due to accepting and displaying     arbitrary stderr output from the server, a malicious     server (or Man-in-The-Middle attacker) can manipulate     the client output, for example to use ANSI control codes     to hide additional files being transferred.
    (CVE-2019-6110)

  - An issue was discovered in OpenSSH 7.9. Due to the scp     implementation being derived from 1983 rcp, the server     chooses which files/directories are sent to the client.
    However, the scp client only performs cursory validation     of the object name returned (only directory traversal     attacks are prevented). A malicious scp server (or Man-     in-The-Middle attacker) can overwrite arbitrary files in     the scp client target directory. If recursive operation     (-r) is performed, the server can manipulate     subdirectories as well (for example, to overwrite the     .ssh/authorized_keys file). (CVE-2019-6111)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the openssh package has been released.

The remote host is affected by the vulnerability described in GLSA-201903-16 (OpenSSH: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenSSH. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could overwrite arbitrary files, transfer malicious       files, or gain unauthorized access.
  Workaround :

    There is no known workaround at this time.

This update for openssh fixes the following issues :

Security issue fixed :

  - CVE-2018-20685: Fixed an issue where scp client allows     remote SSH servers to bypass intended access     restrictions (bsc#1121571)

  - CVE-2019-6109: Fixed an issue where the scp client would     allow malicious remote SSH servers to manipulate     terminal output via the object name, e.g. by inserting     ANSI escape sequences (bsc#1121816)

  - CVE-2019-6110: Fixed an issue where the scp client would     allow malicious remote SSH servers to manipulate stderr     output, e.g. by inserting ANSI escape sequences     (bsc#1121818)

  - CVE-2019-6111: Fixed an issue where the scp client would     allow malicious remote SSH servers to execute directory     traversal attacks and overwrite files (bsc#1121821)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for openssh fixes the following issues :

Security issues fixed :

  - CVE-2018-20685: Fixed an issue where scp client allows     remote SSH servers to bypass intended access     restrictions (bsc#1121571)

  - CVE-2019-6109: Fixed an issue where the scp client would     allow malicious remote SSH servers to manipulate     terminal output via the object name, e.g. by inserting     ANSI escape sequences (bsc#1121816)

  - CVE-2019-6110: Fixed an issue where the scp client would     allow malicious remote SSH servers to manipulate stderr     output, e.g. by inserting ANSI escape sequences     (bsc#1121818)

  - CVE-2019-6111: Fixed an issue where the scp client would     allow malicious remote SSH servers to execute directory     traversal attacks and overwrite files (bsc#1121821)

This update was imported from the SUSE:SLE-15:Update update project.

This update for openssh fixes the following issues :

Security issue fixed :

CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571)

CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816)

CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818)

CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for openssh fixes the following issues :

Security issues fixed :

CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571)

CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816)

CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818)

CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
500838	Siemens SCALANCE X-200RNA Switch Devices Inappropriate Encoding For Output Context (CVE-2019-6110)	Tenable OT Security	Tenable.ot	medium
167059	F5 Networks BIG-IP : OpenSSH vulnerability (K42531048)	Nessus	F5 Networks Local Security Checks	medium
159491	OpenSSH < 8.0	Nessus	Misc.	medium
701156	OpenSSH < 8.0 Multiple Vulnerbilities	Nessus Network Monitor	SSH	medium
127253	NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0060)	Nessus	NewStart CGSL Local Security Checks	medium
126199	Photon OS 1.0: Openssh PHSA-2019-1.0-0237	Nessus	PhotonOS Local Security Checks	medium
126107	Photon OS 2.0: Openssh PHSA-2019-2.0-0165	Nessus	PhotonOS Local Security Checks	medium
122990	GLSA-201903-16 : OpenSSH: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
121460	openSUSE Security Update : openssh (openSUSE-2019-93)	Nessus	SuSE Local Security Checks	medium
121430	openSUSE Security Update : openssh (openSUSE-2019-91)	Nessus	SuSE Local Security Checks	medium
121306	SUSE SLES11 Security Update : openssh (SUSE-SU-2019:13931-1)	Nessus	SuSE Local Security Checks	medium
121300	SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2019:0132-1)	Nessus	SuSE Local Security Checks	medium
121296	SUSE SLED15 / SLES15 Security Update : openssh (SUSE-SU-2019:0126-1)	Nessus	SuSE Local Security Checks	medium
121295	SUSE SLES12 Security Update : openssh (SUSE-SU-2019:0125-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2019-6110

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium