#VU16946 Security restrictions bypass in OpenSSH - CVE-2018-20685


| Updated: 2019-01-16

Vulnerability identifier: #VU16946

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-20685

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper validation of filenames by the scp.c source code file in the SCP client . A remote unauthenticated attacker can trick the victim into accessing a file with the filename of . or an empty filename from an attacker-controlled Secure Shell (SSH) server to bypass access restrictions on the system, which could be used to conduct further attacks.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSH: 7.9

External links
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198&f=h
https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SolarWinds Security Event Manager (SEM) update for third-party components
Multiple vulnerabilities in Dell EMC Unity Family
Anolis OS update for openssh
SolarWinds Security Event Manager (SEM) update for third-party components
Gentoo update for Dropbear
Red Hat update for openssh
Amazon Linux AMI update for openssh
Gentoo update for OpenSSH
Security restrictions bypass in dropbear (Alpine package)
Security restrictions bypass in openssh (Alpine package)