OpenSSH 7.x < 7.5 Directory Traversal

medium Nessus Network Monitor Plugin ID 700019

Synopsis

The remote SSH server may be affected by a directory traversal attack vector.

Description

The installed version of OpenSSH is 7.x prior to 7.5 and is affected by a flaw in the 'do_lsreaddir()' function in 'sftp-client.c' that allows traversing outside of a restricted path. The issue is due to the sftp-client not properly sanitizing input from a remote server, specifically backslashes during a recursive file transfer. This may allow a context-dependent attacker to create or overwrite files outside of the intended target directory.

Solution

Upgrade to OpenSSH 7.x version 7.5 or later.

See Also

http://www.openssh.com/txt/release-7.5

Plugin Details

Severity: Medium

ID: 700019

Family: SSH

Published: 3/22/2017

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Patch Publication Date: 3/20/2017

Vulnerability Publication Date: 3/20/2017