CVE-2019-14889 – This vulnerability allows remote command inject... (How to Fix)

Q: What is the severity of CVE-2019-14889?

CVE-2019-14889 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote command injection in libssh's SCP client when user-controlled input is passed to the ssh_scp_new() function. Attackers can execute arbitrary commands on the server when connecting to a malicious or compromised SCP server. Applications using libssh's SCP client functionality with untrusted path inputs are affected.

📋 TL;DR

This vulnerability allows remote command injection in libssh's SCP client when user-controlled input is passed to the ssh_scp_new() function. Attackers can execute arbitrary commands on the server when connecting to a malicious or compromised SCP server. Applications using libssh's SCP client functionality with untrusted path inputs are affected.

💻 Affected Systems

Products:

libssh
applications using libssh SCP client functionality

Versions: libssh versions before 0.9.3 and before 0.8.8

Operating Systems: Linux, Unix-like systems, Windows (if using libssh)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when applications pass user-controlled input to the third parameter of ssh_scp_new() function. Not all libssh usage is affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the remote server with arbitrary command execution as the connecting user, potentially leading to data theft, lateral movement, or complete system takeover.

🟠

Likely Case

Limited command execution on the server depending on user privileges, potentially allowing file system access, data exfiltration, or further privilege escalation.

🟢

If Mitigated

No impact if input validation prevents user-controlled paths from reaching the vulnerable function or if connections are restricted to trusted servers.

🌐 Internet-Facing: MEDIUM - Requires user interaction to connect to malicious server, but automated tools could trick users into connecting.

🏢 Internal Only: MEDIUM - Internal attackers could set up malicious SCP servers or compromise existing ones to exploit clients.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to connect to a malicious SCP server. The vulnerability is in the client-side library when processing server responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libssh 0.9.3 or 0.8.8

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889

Restart Required: Yes

Instructions:

1. Update libssh to version 0.9.3 or 0.8.8 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade libssh-4' (Debian/Ubuntu) or 'sudo yum update libssh' (RHEL/CentOS). 3. Restart applications using libssh.

🔧 Temporary Workarounds

Input validation

all

Validate and sanitize user input before passing to ssh_scp_new() function

Restrict SCP connections

all

Only allow SCP connections to trusted, verified servers

🧯 If You Can't Patch

Implement strict input validation for all user-provided paths in applications using libssh SCP
Disable SCP functionality or use alternative secure file transfer methods

🔍 How to Verify

Check if Vulnerable:

Check libssh version: 'ssh -V' or 'ldconfig -p | grep libssh' and compare to vulnerable versions (<0.9.3 and <0.8.8). Also review application code for use of ssh_scp_new() with user input.

Check Version:

ssh -V 2>&1 | grep -o 'libssh-[0-9.]*' || pkg-config --modversion libssh || find /usr -name '*libssh*' -exec strings {} \; 2>/dev/null | grep 'libssh' | head -1

Verify Fix Applied:

Confirm libssh version is 0.9.3 or higher, or 0.8.8 or higher. Test SCP functionality with known safe servers.

📡 Detection & Monitoring

Log Indicators:

Unusual SCP connection patterns
Failed SCP authentication attempts
Unexpected command execution following SCP connections

Network Indicators:

SCP connections to unknown or suspicious servers
Unusual outbound SCP traffic patterns

SIEM Query:

source="*ssh*" OR source="*scp*" AND (event="failed" OR event="error" OR command="*;*" OR command="*|*" OR command="*&*")

📊 Metadata

CVE ID: CVE-2019-14889

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: December 10, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/
https://security.gentoo.org/glsa/202003-27 Third Party Advisory
https://usn.ubuntu.com/4219-1/ Third Party Advisory
https://www.libssh.org/security/advisories/CVE-2019-14889.txt Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/
https://security.gentoo.org/glsa/202003-27 Third Party Advisory
https://usn.ubuntu.com/4219-1/ Third Party Advisory
https://www.libssh.org/security/advisories/CVE-2019-14889.txt Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14889, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Libssh by Libssh

Libssh by Libssh

Mysql Workbench by Oracle

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation

Restrict SCP connections

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities