Bug 234965 - scp client multiple vulnerabilities (openssh in base/ports affected: CVE-2018-20685 CVE-2019-6111 CVE-2019-6109,6110)
Summary: scp client multiple vulnerabilities (openssh in base/ports affected: CVE-2018...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: Normal Affects Many People
Assignee: Security Team
URL: https://sintonen.fi/advisories/scp-cl...
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-01-15 09:37 UTC by Bob Frazier
Modified: 2019-02-15 18:37 UTC (History)
10 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bob Frazier 2019-01-15 09:37:37 UTC
according to this article:

https://www.theregister.co.uk/2019/01/15/scp_vulnerability/

OpenSSH 7.9 and earlier contain a set of vulnerabilities that date back to 1983.

These are:

CVE-2018-20685 - server can alter directory permissions on the client

CVE-2019-6111 -  server can send arbitrary files not requested by the client, even overwriting files in the client's file system.

CVE-2019-6109, CVE-2019-6110 - server can alter the object name or output display on the ssh client to hide files being copied


There is apparently a patch available, linked to from the article mentioned above, which appears to apply to -CURRENT from a few days ago.  I have not attempted to build the source.  however, the patch is available here:

https://sintonen.fi/advisories/scp-name-validator.patch

Since I have only verified that the code in the FreeBSD crypto/openssh tree does not appear to have been patched for these vulnerabilities, I can not for certain say that they exist; however, it is extremely likely and needs to be brought to the attention of the appropriate people.
Comment 1 Kyle Evans freebsd_committer 2019-01-15 12:56:12 UTC
CC'ING secteam, perhaps
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-01-16 06:42:38 UTC
base r343043 by emaste@ addressed one of the issues (CVE-2018-20685)

CC bdrewery (security/openssh-portable maintainer)

According to the article/announcement details, openssh is vulnerable to all four CVE's.

I'd use this as a parent coordinator issue, with separate sub issues created for each of base openssh and ports openssh being tracked separately for clarity of merges (base issues only multiple MFC flags, ports issues have a single merge quarterly flag), and given base and ports components have different maintainers.
Comment 3 VVD 2019-01-23 10:43:54 UTC
Hi!
When in releng?
Comment 4 Ed Maste freebsd_committer 2019-02-05 18:55:51 UTC
Patch in review https://reviews.freebsd.org/D19076
Comment 5 Jochen Neumeister freebsd_committer 2019-02-15 18:37:46 UTC
Does ports-secteam have to be active here?