CVE-2019-6109
Description
OpenSSH 7.9 missing character encoding in scp progress display allows malicious server to hide unauthorized file transfers using ANSI control codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSSH 7.9 missing character encoding in scp progress display allows malicious server to hide unauthorized file transfers using ANSI control codes.
Vulnerability
The vulnerability resides in the refresh_progress_meter() function in progressmeter.c of OpenSSH version 7.9 (and possibly earlier versions). The function fails to sanitize or encode the progress display output when receiving file names or other data from an SCP server. This allows a malicious server (or a Man-in-the-Middle attacker) to inject ANSI escape sequences that manipulate the client's terminal output, effectively hiding additional file transfers. The flaw was publicly reported by Harry Sintonen as part of a set of SCP client vulnerabilities [2].
Exploitation
An attacker must control the SCP server that the victim connects to, or be able to perform a Man-in-the-Middle attack. In the MITM scenario, the victim must accept the attacker's host key fingerprint. The attacker sends a crafted file name containing ANSI control codes during the SCP transfer. The client's progress meter prints these codes to the terminal without escaping them, allowing the attacker to erase or overwrite lines in the terminal output. This hides the appearance of extra files (e.g., ~/.bash_aliases) being transferred and written to the target directory. An example attack sequence: victim uses scp user@remote:readme.txt . while the malicious server sends readme.txt plus an extra hidden .bash_aliases file, using ANSI sequences to remove the second file from the displayed output [2].
Impact
A successful attacker can write arbitrary files to the victim's SCP target directory (subject to the file name validation flaws described in CVE-2019-6111) while concealing those writes from the client's terminal output. The attacker can also change permissions of the target directory (CVE-2018-20685). In a typical scenario, the attacker drops a malicious .bash_aliases file into the victim's home directory, which executes arbitrary commands when the victim opens a new shell. This can lead to full compromise of the victim's local account [2].
Mitigation
The vulnerability is fixed in OpenSSH 8.0 [2]. Red Hat Enterprise Linux 8 ships openssh-8.0p1-3.el8 [1]. Ubuntu released updated packages as part of USN-3885-1 on 7 February 2019 [3]. Fedora advisories also provide updates [4]. Users unable to upgrade should avoid using scp from untrusted servers; alternative tools like rsync, sftp, or scp -O (if available) may reduce risk. There is no evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- https://access.redhat.com/errata/RHSA-2019:3702
- https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
- USN-3885-1: OpenSSH vulnerabilities | Ubuntu security notices | Ubuntu
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
42- osv-coords41 versionspkg:rpm/opensuse/openssh&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/openssh&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/openssh&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20OpenStack%20Cloud%207
< 7.6p1-lp150.8.9.1+ 40 more
- (no CPE)range: < 7.6p1-lp150.8.9.1
- (no CPE)range: < 8.4p1-7.4
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 6.6p1-41.18.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-36.20.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 6.6p1-41.18.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-36.20.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing character encoding in the progress display allows object names with ANSI control codes to manipulate client terminal output."
Attack vector
A malicious scp server (or Man-in-the-Middle attacker) sends crafted object names containing ANSI control sequences to the client. Because the progress display lacks character encoding [CWE-451], these control sequences are interpreted by the terminal, allowing the attacker to manipulate the client's visible output. This can hide the transfer of additional malicious files (e.g., `.bash_aliases`) from the user's view [ref_id=1].
Affected code
The vulnerability is in `refresh_progress_meter()` in `progressmeter.c` [ref_id=1]. The scp client's progress display does not sanitize or encode object names received from the server before rendering them to the terminal.
What the fix does
The advisory references a patch at commit `8976f1c4b2721c26e878151f52bdf346dfe2d54c` [ref_id=1]. The fix adds character encoding/sanitization to the object name before it is displayed in the progress meter, preventing ANSI control sequences from being interpreted by the terminal. The advisory also recommends switching to SFTP as a general mitigation [ref_id=1].
Preconditions
- configVictim uses scp (not sftp) to copy files from a server
- networkAttacker controls the remote scp server or is a Man-in-the-Middle (victim must accept the wrong host fingerprint for MITM)
- inputNo character encoding/sanitization is applied to object names in the progress display
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfnvdPatchThird Party Advisory
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlnvdPatchThird Party Advisory
- access.redhat.com/errata/RHSA-2019:3702nvdThird Party Advisory
- cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.cnvdRelease NotesVendor Advisory
- cvsweb.openbsd.org/src/usr.bin/ssh/scp.cnvdRelease NotesVendor Advisory
- lists.debian.org/debian-lts-announce/2019/03/msg00030.htmlnvdMailing ListThird Party Advisory
- security.gentoo.org/glsa/201903-16nvdThird Party Advisory
- security.netapp.com/advisory/ntap-20190213-0001/nvdThird Party Advisory
- sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtnvdThird Party Advisory
- usn.ubuntu.com/3885-1/nvdThird Party Advisory
- www.debian.org/security/2019/dsa-4387nvdThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.htmlnvdBroken Link
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/nvd
News mentions
0No linked articles in our index yet.