CVE-2023-35812

An incomplete fix for CVE-2019-6111 was found in the Amazon Linux packages of OpenSSH 7.4 for Amazon Linux 1 and 2. The original fix only addressed cases where an absolute path is passed to scp. When a relative path is used, there is no verification that the name of a file received by the client matches the file requested [1].

To exploit this vulnerability, an attacker must control the SSH server to which the victim connects via scp. If the victim uses a relative path for the file to copy, the server can respond with a different file name, potentially tricking the client into overwriting an unexpected file on the client system [1].

The impact is similar to CVE-2019-6111: an attacker can overwrite arbitrary files on the client's system with arbitrary content supplied by the server. This may lead to further compromise, for example by overwriting the user's ~/.ssh/authorized_keys file to gain SSH access [1].

Fixed packages are available with versions 7.4p1-22.78.amzn1 and 7.4p1-22.amzn2.0.2. Users are advised to update their OpenSSH packages to mitigate the vulnerability [1].