Knowledge Search


×
 

Directory-traversal vulnerability in OpenSSH scp (Juniper Networks NetScreen Advisory 59739)

  [JSA10337] Show Article Properties


Legacy Advisory Id:
PSN-2004-09-001
Product Affected:
All IDP up to and including 3.0r2
Problem:
A directory-traversal vulnerability in OpenSSH scp allows remote malicious servers to overwrite arbitrary files.

Scp is a file transfer utility using the OpenSSH protocol and is included in the OpenSSH package. It can be used to transmit files to or from a remote ssh server. A malicious ssh server may be able to exploit a security vulnerability in all versions of scp.

When a user on the IDP initiates an scp copy to retrieve files from an untrusted server to the IDP, the malicious server can cause the scp client on the IDP to overwrite sensitive files. To be at risk a number of conditions have to be met:
  1. The user must have write access to the file to be overwritten by the malicious server.
  2. The user must run scp from the IDP and copy a file from the server.
  3. Connection to a malicious ssh server has to be made from the IDP. We are currently not aware of any active exploit code for this vulnerability.
  4. Verification of the ssh server key fingerprint will reveal an attempt to spoof a legitimate ssh server.
Solution:
OpenSSH version 3.1p1-14 and higher has been modified to eliminate the directory traversal vulnerability.
Implementation:
  • Option 1: Upgrade the IDP with the latest OpenSSH rpm packages (available from the Customer Support Center):
    Version MD5 Hash
    openssh-3.1p1-14.idp2.i386.rpm d2165c9ade41573a17ccf4c718981a3e
    openssh-client-3.1p1-14.idp2.i386.rpm 36c02ddb5267ac17aff907e906bbeffe
    openssh-server-3.1p1-14.idp2.i386.rpm f20f558aa7c9aa20fea6cdeccbc11c5f
    Follow these steps to install the packages:
    1. Copy the RPM packages to the /tmp directory on the IDP appliance.
    2. Login to the IDP as the root user using the serial interface, or directly on the appliance (keyboard/monitor).
    3. Upgrade the RPM packages by typing the following as the root user:
      $ rpm -Uvh --force /tmp/openssh*3.1p1-14.idp2.i386.rpm
  • Option 2: Do not use scp command on the IDP. Use scp client on remote host to push files to the IDP.
  • Option 3: Do not use scp command to connect to an untrusted OpenSSH server.
  • Option 4: Use sftp as an alternative to scp for file downloads.
Modification History:
Modification History:

2017-03-05: Category restructure.

Related Links:
Risk Level:
Low
Risk Assessment:
Malicious ssh server may overwrite arbitrary files on the IDP filesystem.To be at risk a number of conditions have to be met:
  1. The user must have write access to the file to be overwritten by the malicious server.
  2. The user must run scp from the IDP and copy a file from the server.
  3. Connection to a malicious ssh server has to be made from the IDP. We are currently not aware of any active exploit code for this vulnerability.
  4. Verification of the ssh server key fingerprint will reveal an attempt to spoof a legitimate ssh server.