{
  "threat_severity" : "Moderate",
  "public_date" : "2018-11-16T00:00:00Z",
  "bugzilla" : {
    "description" : "openssh: Acceptance and display of arbitrary stderr allows for spoofing of scp client output",
    "id" : "1666124",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1666124"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-451",
  "details" : [ "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.", "A vulnerability was found in OpenSSH that could allow a remote attacker to conduct spoofing attacks. This is caused by the acceptance and display of arbitrary stderr output from the SCP server, where a man-in-the-middle attacker could exploit this vulnerability to spoof the SCP client output, misleading the user into thinking the operation was successful or reporting false information." ],
  "statement" : "This vulnerability is rated as a moderate because it allows a malicious server or a Man-in-the-Middle attacker to manipulate client output by injecting arbitrary stderr content, on exploitation this could mislead the user into thinking the operation was successful or reporting false information, it can facilitate social engineering attacks.\nThis issue affects the scp client shipped with openssh. The SSH protocol or the SSH client is not affected. For more detailed analysis please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1666124#c2",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-6110\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-6110\nhttps://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt" ],
  "name" : "CVE-2019-6110",
  "mitigation" : {
    "value" : "This issue only affects the users of scp binary which is a part of openssh-clients package. Other usage of SSH protocol or other ssh clients is not affected. Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removing the openssh-clients package will make binaries like scp and ssh etc unavailable on that system.\nNote: To exploit this flaw, the victim needs to connect to a malicious SSH server or MITM (Man-in-the-middle) the scp connection, both of which can be detected by the system administrator via a change in the host key of the SSH server. Further, if connections via scp are made to only trusted SSH servers, then those use-cases are not vulnerable to this security flaw.",
    "lang" : "en:us"
  },
  "csaw" : false
}