Miggo Logo

CVE-2019-6110:
OpenSSH SCP Client Output Manipulation Vulnerability

6.8

CVSS Score
3.0

Basic Information

EPSS Score
0.9761%
Published
5/13/2022
Updated
1/29/2023
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2019-6110 allows a malicious server to manipulate SCP client output by sending ANSI control codes via stderr. I analyzed the provided information, including the vulnerability description and related advisories. The advisory from sintonen.fi was particularly helpful in detailing the vulnerability. Although direct commit information for the CVE-2019-6110 patch was not fetchable via the provided tools, information from related CVEs (like CVE-2019-6109 affecting filename display in progressmeter.c) and the CVS logs for scp.c and progressmeter.c provided clues. The core issue is the client's failure to sanitize output received from the server before displaying it on the terminal.

  1. scp.c:main: Orchestrates the scp client operations. It's responsible for handling the ssh subprocess from which stderr is read. If this stderr is printed without sanitization by main or functions it calls, it's vulnerable.
  2. scp.c:response: This function is responsible for reading lines from the remote server, which includes stderr. If these lines are passed to output functions without sanitization, it's a key part of the vulnerability.
  3. scp.c:error: This function is used to print error messages. If it prints server-originated stderr messages containing ANSI codes without sanitization, it directly leads to the vulnerability.
  4. progressmeter.c:refresh_progress_meter: While the primary fix here was for CVE-2019-6109 (filename spoofing), the general mechanism of displaying server-influenced strings without sanitization is relevant. If stderr content could affect this display, it's a potential vector.

The confidence levels reflect the directness of involvement: scp.c:response and scp.c:error are highly likely to be involved in processing and displaying the malicious stderr. scp.c:main is involved as the orchestrator, and progressmeter.c:refresh_progress_meter is involved due to its role in displaying server-influenced data, though CVE-2019-6110 is broader than just the progress meter.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Op*nSS* *.*, *u* to ****ptin* *n* *ispl*yin* *r*itr*ry st**rr output *rom t** s*rv*r, * m*li*ious s*rv*r (or M*n-in-T**-Mi**l* *tt**k*r) **n m*nipul*t* t** *li*nt output, *or *x*mpl* to us* *NSI *ontrol *o**s to *i** ***ition*l *il*s **in* tr*ns**

Reasoning

T** vuln*r**ility *V*-****-**** *llows * m*li*ious s*rv*r to m*nipul*t* S*P *li*nt output *y s*n*in* *NSI *ontrol *o**s vi* st**rr. I *n*lyz** t** provi*** in*orm*tion, in*lu*in* t** vuln*r**ility **s*ription *n* r*l*t** **visori*s. T** **visory *rom