Bug 234965 - scp client multiple vulnerabilities (openssh in base/ports affected: CVE-2018-20685 CVE-2019-6111 CVE-2019-6109,6110)
Summary: scp client multiple vulnerabilities (openssh in base/ports affected: CVE-2018...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: Normal Affects Many People
Assignee: Security Team
URL: https://sintonen.fi/advisories/scp-cl...
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-01-15 09:37 UTC by Bob Frazier
Modified: 2019-04-01 14:38 UTC (History)
10 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bob Frazier 2019-01-15 09:37:37 UTC
according to this article:

https://www.theregister.co.uk/2019/01/15/scp_vulnerability/

OpenSSH 7.9 and earlier contain a set of vulnerabilities that date back to 1983.

These are:

CVE-2018-20685 - server can alter directory permissions on the client

CVE-2019-6111 -  server can send arbitrary files not requested by the client, even overwriting files in the client's file system.

CVE-2019-6109, CVE-2019-6110 - server can alter the object name or output display on the ssh client to hide files being copied


There is apparently a patch available, linked to from the article mentioned above, which appears to apply to -CURRENT from a few days ago.  I have not attempted to build the source.  however, the patch is available here:

https://sintonen.fi/advisories/scp-name-validator.patch

Since I have only verified that the code in the FreeBSD crypto/openssh tree does not appear to have been patched for these vulnerabilities, I can not for certain say that they exist; however, it is extremely likely and needs to be brought to the attention of the appropriate people.
Comment 1 Kyle Evans freebsd_committer 2019-01-15 12:56:12 UTC
CC'ING secteam, perhaps
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-01-16 06:42:38 UTC
base r343043 by emaste@ addressed one of the issues (CVE-2018-20685)

CC bdrewery (security/openssh-portable maintainer)

According to the article/announcement details, openssh is vulnerable to all four CVE's.

I'd use this as a parent coordinator issue, with separate sub issues created for each of base openssh and ports openssh being tracked separately for clarity of merges (base issues only multiple MFC flags, ports issues have a single merge quarterly flag), and given base and ports components have different maintainers.
Comment 3 VVD 2019-01-23 10:43:54 UTC
Hi!
When in releng?
Comment 4 Ed Maste freebsd_committer 2019-02-05 18:55:51 UTC
Patch in review https://reviews.freebsd.org/D19076
Comment 5 Jochen Neumeister freebsd_committer 2019-02-15 18:37:46 UTC
Does ports-secteam have to be active here?
Comment 6 commit-hook freebsd_committer 2019-02-21 22:46:16 UTC
A commit references this bug:

Author: emaste
Date: Thu Feb 21 22:45:55 UTC 2019
New revision: 344449
URL: https://svnweb.freebsd.org/changeset/base/344449

Log:
  scp: validate filenames provided by server against wildcard in client

  OpenSSH-portable commits:

  check in scp client that filenames sent during remote->local directory
  copies satisfy the wildcard specified by the user.

  This checking provides some protection against a malicious server
  sending unexpected filenames, but it comes at a risk of rejecting wanted
  files due to differences between client and server wildcard expansion rules.

  For this reason, this also adds a new -T flag to disable the check.

  reported by Harry Sintonen
  fix approach suggested by markus@;
  has been in snaps for ~1wk courtesy deraadt@

  OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda

  Minor patch conflict (getopt) resolved.

  Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

  scp: add -T to usage();

  OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899

  Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8

  PR:		234965
  Approved by:	des
  MFC after:	3 days
  Obtained from:	OpenSSH-portable 391ffc4b9d, 2c21b75a7b
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D19076

Changes:
_U  head/crypto/openssh/
  head/crypto/openssh/scp.1
  head/crypto/openssh/scp.c
Comment 7 commit-hook freebsd_committer 2019-03-07 20:13:24 UTC
A commit references this bug:

Author: emaste
Date: Thu Mar  7 20:12:51 UTC 2019
New revision: 344897
URL: https://svnweb.freebsd.org/changeset/base/344897

Log:
  MFC r344449: scp: validate filenames provided by server against wildcard

  ... in client

  OpenSSH-portable commits:

  check in scp client that filenames sent during remote->local directory
  copies satisfy the wildcard specified by the user.

  This checking provides some protection against a malicious server
  sending unexpected filenames, but it comes at a risk of rejecting wanted
  files due to differences between client and server wildcard expansion rules.

  For this reason, this also adds a new -T flag to disable the check.

  reported by Harry Sintonen
  fix approach suggested by markus@;
  has been in snaps for ~1wk courtesy deraadt@

  OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda

  Minor patch conflict (getopt) resolved.

  Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

  scp: add -T to usage();

  OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899

  Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8

  PR:		234965
  Sponsored by:	The FreeBSD Foundation

Changes:
_U  stable/12/
  stable/12/crypto/openssh/scp.1
  stable/12/crypto/openssh/scp.c
Comment 8 VVD 2019-04-01 14:38:44 UTC
When in releng?