Bug 234965

Summary: scp client multiple vulnerabilities (openssh in base/ports affected: CVE-2018-20685 CVE-2019-6111 CVE-2019-6109,6110)
Product: Base System Reporter: Bob Frazier <bobf>
Component: binAssignee: Security Team <secteam>
Status: Closed FIXED    
Severity: Affects Many People CC: bdrewery, des, emaste, freebsd, jamie, joneum, kevans, ports-secteam, secteam, vvd
Priority: Normal Keywords: security
Version: CURRENT   
Hardware: Any   
OS: Any   
URL: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233801

Description Bob Frazier 2019-01-15 09:37:37 UTC 
according to this article:

https://www.theregister.co.uk/2019/01/15/scp_vulnerability/

OpenSSH 7.9 and earlier contain a set of vulnerabilities that date back to 1983.

These are:

CVE-2018-20685 - server can alter directory permissions on the client

CVE-2019-6111 -  server can send arbitrary files not requested by the client, even overwriting files in the client's file system.

CVE-2019-6109, CVE-2019-6110 - server can alter the object name or output display on the ssh client to hide files being copied


There is apparently a patch available, linked to from the article mentioned above, which appears to apply to -CURRENT from a few days ago.  I have not attempted to build the source.  however, the patch is available here:

https://sintonen.fi/advisories/scp-name-validator.patch

Since I have only verified that the code in the FreeBSD crypto/openssh tree does not appear to have been patched for these vulnerabilities, I can not for certain say that they exist; however, it is extremely likely and needs to be brought to the attention of the appropriate people.
Comment 1 Kyle Evans freebsd_committer freebsd_triage 2019-01-15 12:56:12 UTC 
CC'ING secteam, perhaps
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-01-16 06:42:38 UTC 
base r343043 by emaste@ addressed one of the issues (CVE-2018-20685)

CC bdrewery (security/openssh-portable maintainer)

According to the article/announcement details, openssh is vulnerable to all four CVE's.

I'd use this as a parent coordinator issue, with separate sub issues created for each of base openssh and ports openssh being tracked separately for clarity of merges (base issues only multiple MFC flags, ports issues have a single merge quarterly flag), and given base and ports components have different maintainers.
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2019-01-23 10:43:54 UTC 
Hi!
When in releng?
Comment 4 Ed Maste freebsd_committer freebsd_triage 2019-02-05 18:55:51 UTC 
Patch in review https://reviews.freebsd.org/D19076
Comment 5 Jochen Neumeister freebsd_committer freebsd_triage 2019-02-15 18:37:46 UTC 
Does ports-secteam have to be active here?
Comment 6 commit-hook freebsd_committer freebsd_triage 2019-02-21 22:46:16 UTC 
A commit references this bug:

Author: emaste
Date: Thu Feb 21 22:45:55 UTC 2019
New revision: 344449
URL: https://svnweb.freebsd.org/changeset/base/344449

Log:
  scp: validate filenames provided by server against wildcard in client

  OpenSSH-portable commits:

  check in scp client that filenames sent during remote->local directory
  copies satisfy the wildcard specified by the user.

  This checking provides some protection against a malicious server
  sending unexpected filenames, but it comes at a risk of rejecting wanted
  files due to differences between client and server wildcard expansion rules.

  For this reason, this also adds a new -T flag to disable the check.

  reported by Harry Sintonen
  fix approach suggested by markus@;
  has been in snaps for ~1wk courtesy deraadt@

  OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda

  Minor patch conflict (getopt) resolved.

  Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

  scp: add -T to usage();

  OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899

  Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8

  PR:		234965
  Approved by:	des
  MFC after:	3 days
  Obtained from:	OpenSSH-portable 391ffc4b9d, 2c21b75a7b
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D19076

Changes:
_U  head/crypto/openssh/
  head/crypto/openssh/scp.1
  head/crypto/openssh/scp.c
Comment 7 commit-hook freebsd_committer freebsd_triage 2019-03-07 20:13:24 UTC 
A commit references this bug:

Author: emaste
Date: Thu Mar  7 20:12:51 UTC 2019
New revision: 344897
URL: https://svnweb.freebsd.org/changeset/base/344897

Log:
  MFC r344449: scp: validate filenames provided by server against wildcard

  ... in client

  OpenSSH-portable commits:

  check in scp client that filenames sent during remote->local directory
  copies satisfy the wildcard specified by the user.

  This checking provides some protection against a malicious server
  sending unexpected filenames, but it comes at a risk of rejecting wanted
  files due to differences between client and server wildcard expansion rules.

  For this reason, this also adds a new -T flag to disable the check.

  reported by Harry Sintonen
  fix approach suggested by markus@;
  has been in snaps for ~1wk courtesy deraadt@

  OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda

  Minor patch conflict (getopt) resolved.

  Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

  scp: add -T to usage();

  OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899

  Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8

  PR:		234965
  Sponsored by:	The FreeBSD Foundation

Changes:
_U  stable/12/
  stable/12/crypto/openssh/scp.1
  stable/12/crypto/openssh/scp.c
Comment 8 Vladimir Druzenko freebsd_committer freebsd_triage 2019-04-01 14:38:44 UTC 
When in releng?
Comment 9 commit-hook freebsd_committer freebsd_triage 2019-05-07 19:49:11 UTC 
A commit references this bug:

Author: emaste
Date: Tue May  7 19:48:40 UTC 2019
New revision: 347232
URL: https://svnweb.freebsd.org/changeset/base/347232

Log:
  MFC r345576: Merge r345574 from vendor-crypto:

  upstream: when checking that filenames sent by the server side

  match what the client requested, be prepared to handle shell-style brace
  alternations, e.g. "{foo,bar}".

  "looks good to me" millert@ + in snaps for the last week courtesy
  deraadt@

  OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e

  PR:		234965
  Discussed with:	des
  Obtained from:	OpenSSH-portable 3d896c157c722bc47adca51a58dca859225b5874

Changes:
_U  stable/12/
  stable/12/crypto/openssh/scp.c
Comment 10 Vladimir Druzenko freebsd_committer freebsd_triage 2019-05-08 12:28:22 UTC 
When in releng?
Comment 11 Ed Maste freebsd_committer freebsd_triage 2019-08-13 14:18:47 UTC 
The change is in FreeBSD 12.0; it does not apply to the older version of scp in 11.3 and will probably not be backported.