Ubuntu update for OpenSSH
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 |
| CWE-ID | CWE-284 CWE-451 CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
openssh (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU16946
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-20685
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to improper validation of filenames by the scp.c source code file in the SCP client . A remote unauthenticated attacker can trick the victim into accessing a file with the filename of . or an empty filename from an attacker-controlled Secure Shell (SSH) server to bypass access restrictions on the system, which could be used to conduct further attacks.
MitigationUpdate the affected packages.
- Ubuntu 18.10
- openssh-client - 1:7.7p1-4ubuntu0.2
- Ubuntu 18.04 LTS
- openssh-client - 1:7.6p1-4ubuntu0.2
- Ubuntu 16.04 LTS
- openssh-client - 1:7.2p2-4ubuntu2.7
- Ubuntu 14.04 LTS
- openssh-client - 1:6.6p1-2ubuntu2.12
openssh (Ubuntu package): 1:6.6p1-2ubuntu2.2 - 1:7.7p1-4ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.2:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.3:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.4:*:*:*:*:ubuntu:*:*
https://usn.ubuntu.com/3885-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Spoofing attack
EUVDB-ID: #VU16990
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-6109
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The weakness exists due to accepting and displaying arbitrary stderr output from the scp server by the scp client. A malicious SCP server can use the object name to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.
Update the affected packages.
- Ubuntu 18.10
- openssh-client - 1:7.7p1-4ubuntu0.2
- Ubuntu 18.04 LTS
- openssh-client - 1:7.6p1-4ubuntu0.2
- Ubuntu 16.04 LTS
- openssh-client - 1:7.2p2-4ubuntu2.7
- Ubuntu 14.04 LTS
- openssh-client - 1:6.6p1-2ubuntu2.12
openssh (Ubuntu package): 1:6.6p1-2ubuntu2.2 - 1:7.7p1-4ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.2:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.3:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.4:*:*:*:*:ubuntu:*:*
https://usn.ubuntu.com/3885-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security restrictions bypass
EUVDB-ID: #VU16988
Risk: Low
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-6111
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to missing received object name validation by the scp client. A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).
Update the affected packages.
- Ubuntu 18.10
- openssh-client - 1:7.7p1-4ubuntu0.2
- Ubuntu 18.04 LTS
- openssh-client - 1:7.6p1-4ubuntu0.2
- Ubuntu 16.04 LTS
- openssh-client - 1:7.2p2-4ubuntu2.7
- Ubuntu 14.04 LTS
- openssh-client - 1:6.6p1-2ubuntu2.12
openssh (Ubuntu package): 1:6.6p1-2ubuntu2.2 - 1:7.7p1-4ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.2:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.3:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:openssh_ubuntu_package:1:6.6p1-2ubuntu2.4:*:*:*:*:ubuntu:*:*
https://usn.ubuntu.com/3885-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
