CVE-2019-6110
Description
OpenSSH 7.9 scp client displays arbitrary stderr from server, allowing ANSI control codes to hide file transfers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSSH 7.9 scp client displays arbitrary stderr from server, allowing ANSI control codes to hide file transfers.
Vulnerability
In OpenSSH 7.9, the scp client accepts and displays arbitrary stderr output from the server without sanitization. This allows a malicious server or Man-in-the-Middle attacker to inject ANSI control codes that manipulate the terminal output, effectively hiding additional file transfers from the user [1][2]. The vulnerability stems from the client's failure to filter or escape control sequences in server-provided stderr messages.
Exploitation
An attacker must control the SSH server or be in a position to perform a Man-in-the-Middle attack (requiring the victim to accept a wrong host fingerprint) [1]. During an scp file retrieval, the attacker sends ANSI escape sequences via stderr to overwrite or clear lines of output, concealing the transfer of extra files (e.g., .bash_aliases) [2]. The victim sees only the expected file transfer progress, while the malicious file is silently written to the target directory.
Impact
By hiding the transfer of arbitrary files, the attacker can plant malicious startup scripts (e.g., .bash_aliases) in the victim's home directory. When the victim opens a new shell, the script executes, leading to arbitrary code execution with the victim's privileges [1]. This output manipulation vulnerability (CVE-2019-6110) is often combined with directory traversal or object validation flaws (CVE-2019-6111) to achieve full compromise [2].
Mitigation
OpenSSH 7.9p1 (and later) includes a fix for this issue; Gentoo recommends upgrading to >=net-misc/openssh-7.9_p1-r4 [3]. Users unable to upgrade should avoid using scp and instead use sftp or rsync for file transfers, as those protocols do not rely on the same stderr handling [1]. No workaround exists for the vulnerable scp client itself.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- osv-coords37 versionspkg:rpm/opensuse/openssh&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/openssh&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/openssh&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20OpenStack%20Cloud%207
< 7.6p1-lp150.8.9.1+ 36 more
- (no CPE)range: < 7.6p1-lp150.8.9.1
- (no CPE)range: < 8.4p1-7.4
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The scp client accepts and displays arbitrary stderr output from the server without sanitization, allowing ANSI control sequences to manipulate the terminal display."
Attack vector
A malicious scp server (or a Man-in-the-Middle attacker who tricks the victim into accepting a wrong host fingerprint) sends crafted ANSI control sequences over the stderr channel during an scp file transfer [ref_id=1]. The OpenSSH scp client blindly displays this stderr output to the user, allowing the attacker to hide the transfer of additional files (such as .bash_aliases) by overwriting or clearing portions of the terminal display. The victim sees only the expected file transfer progress and does not notice the extra files being written to the target directory.
Affected code
The advisory [ref_id=1] identifies the scp client in OpenSSH 7.9 as the vulnerable component. The flaw is in the client's handling of stderr output from the remote scp server — the client accepts and displays arbitrary stderr data without sanitization.
What the fix does
The advisory [ref_id=1] recommends applying the OpenSSH patch at https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c (which addresses CVE-2019-6109, a related output-spoofing issue) and/or the unofficial hardening patch at https://sintonen.fi/advisories/scp-name-validator.patch. The advisory also suggests switching to sftp as a more robust alternative. No patch specific to CVE-2019-6110 alone is listed; the fix for stderr spoofing is expected to sanitize or filter ANSI control sequences from server-supplied stderr output before displaying it to the user.
Preconditions
- networkVictim initiates an scp file transfer from a malicious server (or a MitM attacker who intercepts the connection and the victim accepts the wrong host fingerprint)
- inputThe attacker-controlled server sends ANSI control sequences via the stderr channel
Reproduction
The advisory [ref_id=1] states that a proof-of-concept malicious scp server will be released at a later date and does not include reproduction steps. However, a public PoC is available at https://www.exploit-db.com/exploits/46193/. That exploit demonstrates a malicious scp server that sends ANSI escape sequences over stderr to hide the transfer of extra files (e.g., .bash_aliases) while the victim runs `scp user@remote:readme.txt .`.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.exploit-db.com/exploits/46193/mitreexploit
- security.gentoo.org/glsa/201903-16mitrevendor-advisory
- cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfmitre
- cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.cmitre
- cvsweb.openbsd.org/src/usr.bin/ssh/scp.cmitre
- security.netapp.com/advisory/ntap-20190213-0001/mitre
- sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtmitre
News mentions
0No linked articles in our index yet.