Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities are in found in the scp client implementing the SCP protocol.

  - CVE-2018-20685     Due to improper directory name validation, the scp     client allows servers to modify permissions of the     target directory by using empty or dot directory name.

  - CVE-2019-6109     Due to missing character encoding in the progress     display, the object name can be used to manipulate the     client output, for example to employ ANSI codes to hide     additional files being transferred.

  - CVE-2019-6111     Due to scp client insufficient input validation in path     names sent by server, a malicious server can do     arbitrary file overwrites in target directory. If the     recursive (-r) option is provided, the server can also     manipulate subdirectories as well.

  The check added in this version can lead to regression if the client   and the server have differences in wildcard expansion rules. If the   server is trusted for that purpose, the check can be disabled with a   new -T option to the scp client.

Multiple scp client vulnerabilities have been discovered in OpenSSH, the premier connectivity tool for secure remote shell login and secure file transfer.

CVE-2018-20685

In scp.c, the scp client allowed remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact was modifying the permissions of the target directory on the client side.

CVE-2019-6109

Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) was able to employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affected refresh_progress_meter() in progressmeter.c.

CVE-2019-6111

Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performed cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) was able to overwrite arbitrary files in the scp client target directory. If recursive operation (-r) was performed, the server was able to manipulate subdirectories, as well (for example, to overwrite the .ssh/authorized_keys file).

For Debian 8 'Jessie', these problems have been fixed in version 1:6.7p1-5+deb8u8.

We recommend that you upgrade your openssh packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. (CVE-2019-6109)

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). (CVE-2019-6111)

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. (CVE-2018-20685)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3702 advisory.

    OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating     systems. It includes the core files necessary for both the OpenSSH client and server.

    The following packages have been upgraded to a later upstream version: openssh (8.0p1). (BZ#1691045)

    Security Fix(es):

    * openssh: scp client improper directory name validation (CVE-2018-20685)

    * openssh: Improper validation of object names allows malicious server to overwrite files via scp client     (CVE-2019-6111)

    * openssh: Missing character encoding in progress display allows for spoofing of scp client output     (CVE-2019-6109)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Palo Alto Networks PAN-OS running on the remote host is 7.1.x prior to 7.1.26 or 8.0.x prior to 8.0.21 or 8.1.x prior to 8.1.13 or 9.0.x prior to 9.0.7. It is, therefore, affected by  multiple vulnerabilities.

  - OpenSSH software included with PAN-OS has been upgraded to resolve multiple vulnerabilities.
    (CVE-2018-20685, CVE-2019-6109, CVE-2019-6111)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of OpenSSH running on the remote host is prior to 8.0. It is, therefore, affected by the following vulnerabilities:

  - A permission bypass vulnerability due to improper directory name validation. An unauthenticated, remote     attacker can exploit this, with a specially crafted scp server, to change the permission of a directory     on the client. (CVE-2018-20685)

  - Multiple arbitrary file downloads due to improper validation of object name and stderr output. An unauthenticated     remote attacker can exploit this, with a specially crafted scp server, to include additional hidden     files in the transfer. (CVE-2019-6109, CVE-2019-6110)

  - An arbitrary file write vulnerability due to improper object name validation. An unauthenticated, remote     attacker can exploit this, with a specially crafted scp server, to overwrite arbitrary files in the     client directory. (CVE-2019-6111)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0188 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2018-20685:
    In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions     via the filename of . or an empty filename. The impact is modifying the permissions of the target     directory on the client side.

    CVE-2019-6109:
    An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a     malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client     output, e.g., by using ANSI control codes to hide additional files being transferred. This affects     refresh_progress_meter() in progressmeter.c.

    CVE-2019-6111:
    An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the     server chooses which files/directories are sent to the client. However, the scp client only performs     cursory validation of the object name returned (only directory traversal attacks are prevented). A     malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client     target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as     well (for example, to overwrite the .ssh/authorized_keys file).

    CVE-2020-14145:
    The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in     the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts     (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and     8.6 are also affected.

    CVE-2021-41617:
    sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows     privilege escalation because supplemental groups are not initialized as expected. Helper programs for     AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group     memberships of the sshd process, if the configuration specifies running the command as a different user.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The process_open function in sftp-server.c in OpenSSH     before 7.6 does not properly prevent write operations     in readonly mode, which allows attackers to create     zero-length files.(CVE-2017-15906)

  - In OpenSSH 7.9, scp.c in the scp client allows remote     SSH servers to bypass intended access restrictions via     the filename of . or an empty filename. The impact is     modifying the permissions of the target directory on     the client side.(CVE-2018-20685)

  - An issue was discovered in OpenSSH 7.9. Due to missing     character encoding in the progress display, a malicious     server (or Man-in-The-Middle attacker) can employ     crafted object names to manipulate the client output,     e.g., by using ANSI control codes to hide additional     files being transferred. This affects     refresh_progress_meter() in     progressmeter.c.(CVE-2019-6109)

  - An issue was discovered in OpenSSH 7.9. Due to the scp     implementation being derived from 1983 rcp, the server     chooses which files/directories are sent to the client.
    However, the scp client only performs cursory     validation of the object name returned (only directory     traversal attacks are prevented). A malicious scp     server (or Man-in-The-Middle attacker) can overwrite     arbitrary files in the scp client target directory. If     recursive operation (-r) is performed, the server can     manipulate subdirectories as well (for example, to     overwrite the .ssh/authorized_keys     file).(CVE-2019-6111)

  - OpenSSH through 7.7 is prone to a user enumeration     vulnerability due to not delaying bailout for an     invalid authenticating user until after the packet     containing the request has been fully parsed, related     to auth2-gss.c, auth2-hostbased.c, and     auth2-pubkey.c.(CVE-2018-15473)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The installed version of OpenSSH is prior to 8.0 and is affected by multiple vulnerabilities:

 - The scp client allows remote SSH servers to bypass intended access restrictions via the filename of '.'' or an empty filename. The impact is modifying the permissions of the target directory on the client side. (CVE-2018-20685)
 - Due to missing character encoding in the progress display, a malicious server can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects 'refresh_progress_meter()' in progressmeter.c. (CVE-2019-6109)
 - Due to accepting and displaying arbitrary stderr output from the server, a malicious server can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. (CVE-2019-6110)
 - A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). (CVE-2019-6111)

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

  - In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions     via the filename of . or an empty filename. The impact is modifying the permissions of the target     directory on the client side. (CVE-2018-20685)

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	Name	Product	Family	Published	Updated	Severity
122068	Debian DSA-4387-1 : openssh - security update	Nessus	Debian Local Security Checks	2/11/2019	6/21/2024	medium
123095	Debian DLA-1728-1 : openssh security update	Nessus	Debian Local Security Checks	3/26/2019	6/12/2024	medium
130403	Amazon Linux AMI : openssh (ALAS-2019-1313)	Nessus	Amazon Linux Local Security Checks	10/31/2019	4/16/2024	medium
130569	RHEL 8 : openssh (RHSA-2019:3702)	Nessus	Red Hat Local Security Checks	11/6/2019	11/6/2024	medium
148123	Palo Alto Networks PAN-OS 7.1.x < 7.1.26 / 8.0.x < 8.0.21 / 8.1.x < 8.1.13 / 9.0.x < 9.0.7 Multiple Vulnerabilities	Nessus	Palo Alto Local Security Checks	3/25/2021	5/10/2022	medium
159491	OpenSSH < 8.0	Nessus	Misc.	4/4/2022	3/27/2024	medium
236225	Alibaba Cloud Linux 3 : 0188: openssh (ALINUX3-SA-2022:0188)	Nessus	Alibaba Cloud Linux Local Security Checks	5/14/2025	5/14/2025	high
124929	EulerOS Virtualization 3.0.1.0 : openssh (EulerOS-SA-2019-1426)	Nessus	Huawei Local Security Checks	5/14/2019	5/23/2024	medium
701156	OpenSSH < 8.0 Multiple Vulnerbilities	Nessus Network Monitor	SSH	8/21/2019	8/21/2019	medium
500840	Siemens SCALANCE X-200RNA Switch Devices Incorrect Authorization (CVE-2018-20685)	Tenable OT Security	Tenable.ot	2/23/2023	12/5/2024	medium

Detections

Analytics

Plugins Search

medium

medium

medium

medium

medium

medium

high

medium

medium

medium