CVE Vulnerabilities

CVE-2019-6109

Improper Encoding or Escaping of Output

Published: Jan 31, 2019 | Modified: Nov 07, 2023
CVSS 3.x
6.8
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
3.1 LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Ubuntu
MEDIUM

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

Weakness

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Affected Software

Name Vendor Start Version End Version
Openssh Openbsd * 7.9 (including)
Winscp Winscp * 5.13 (including)
Red Hat Enterprise Linux 8 RedHat openssh-0:8.0p1-3.el8 *
Red Hat Enterprise Linux 8 RedHat openssh-0:8.0p1-3.el8 *
Openssh Ubuntu bionic *
Openssh Ubuntu cosmic *
Openssh Ubuntu devel *
Openssh Ubuntu disco *
Openssh Ubuntu eoan *
Openssh Ubuntu fips-preview/jammy *
Openssh Ubuntu fips-updates/jammy *
Openssh Ubuntu fips-updates/xenial *
Openssh Ubuntu fips/xenial *
Openssh Ubuntu focal *
Openssh Ubuntu groovy *
Openssh Ubuntu hirsute *
Openssh Ubuntu impish *
Openssh Ubuntu jammy *
Openssh Ubuntu kinetic *
Openssh Ubuntu lunar *
Openssh Ubuntu mantic *
Openssh Ubuntu noble *
Openssh Ubuntu oracular *
Openssh Ubuntu precise/esm *
Openssh Ubuntu trusty *
Openssh Ubuntu upstream *
Openssh Ubuntu xenial *
Openssh-ssh1 Ubuntu bionic *
Openssh-ssh1 Ubuntu cosmic *
Openssh-ssh1 Ubuntu disco *
Openssh-ssh1 Ubuntu eoan *
Openssh-ssh1 Ubuntu groovy *
Openssh-ssh1 Ubuntu hirsute *
Openssh-ssh1 Ubuntu impish *
Openssh-ssh1 Ubuntu kinetic *
Openssh-ssh1 Ubuntu lunar *
Openssh-ssh1 Ubuntu mantic *
Openssh-ssh1 Ubuntu upstream *

Extended Description

Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead. Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, “GET /index.html HTTP/1.1” is a structured message containing a command (“GET”) with a single argument ("/index.html") and metadata about which protocol version is being used (“HTTP/1.1”). If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.

References