Multiple vulnerabilities in SCP implementation in WinSCP
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2019-6111 CVE-2019-6110 CVE-2019-6109 CVE-2018-20685 |
| CWE-ID | CWE-20 CWE-451 CWE-284 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
WinSCP Client/Desktop applications / File managers, FTP clients |
| Vendor | winscp.sourceforge.net |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU16988
Risk: Low
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-6111
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to missing received object name validation by the scp client. A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).
Update to version 5.14.
Vulnerable software versionsWinSCP: 5.0 - 5.13.7
CPE2.3- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.2:*:*:*:*:*:*:*
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Spoofing attack
EUVDB-ID: #VU16989
Risk: Low
CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-6110
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The weakness exists due to missing character encoding in the progress display by the scp client. A malicious SCP server can use the object name to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.
Update to version 5.14.
Vulnerable software versionsWinSCP: 5.0 - 5.13.7
CPE2.3- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.2:*:*:*:*:*:*:*
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Spoofing attack
EUVDB-ID: #VU16990
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-6109
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The weakness exists due to accepting and displaying arbitrary stderr output from the scp server by the scp client. A malicious SCP server can use the object name to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.
Update to version 5.14.
Vulnerable software versionsWinSCP: 5.0 - 5.13.7
CPE2.3- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.2:*:*:*:*:*:*:*
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Security restrictions bypass
EUVDB-ID: #VU16946
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-20685
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to improper validation of filenames by the scp.c source code file in the SCP client . A remote unauthenticated attacker can trick the victim into accessing a file with the filename of . or an empty filename from an attacker-controlled Secure Shell (SSH) server to bypass access restrictions on the system, which could be used to conduct further attacks.
MitigationUpdate to version 5.14.
Vulnerable software versionsWinSCP: 5.0 - 5.13.7
CPE2.3- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:winscp_sourceforge_net:winscp:5.0.2:*:*:*:*:*:*:*
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
