tenable:159491 · OpenSSH < 8.0

01 · The Real Story

This is like flagging the garage door because the problem is really a bad package handed to the driver

Tenable plugin 159491 fires when an SSH server presents an OpenSSH banner older than 8.0, then maps that to CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111. The problem: those flaws are in the legacy scp client workflow. Exploitation requires a user on the affected host to run scp against a malicious or man-in-the-middle server; it is not a straight unauthenticated attack against the listening sshd service on port 22.

The vendor's MEDIUM label is already modest, but for a server-side exposure queue it is still too generous. The exploit path is post-discovery, user-driven, and workflow-specific, and the plugin itself says detection is based only on the self-reported banner. In real enterprise patch triage, this is mostly classification noise unless the host is actually used as an scp client to pull from untrusted endpoints.

"Banner-only server finding for a client-side scp bug chain; keep it out of the urgent patch queue."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an old OpenSSH installation

A scanner or attacker sees an SSH banner older than 8.0 and assumes the host is affected. Tenable's own note says the plugin does not test the scp flaws directly and relies on version reporting. That is enough for inventory, but not enough to prove a server-exploitable condition.

Conditions required:

TCP/22 reachable or otherwise observable
Banner disclosure available
OpenSSH build appears older than 8.0

Where this breaks in practice:

This identifies a version string, not a reachable exploit path
Enterprise Linux commonly backports fixes while keeping older version numbers
The vulnerable behavior lives in scp client operations, not passive sshd listening

Detection/coverage: High scanner coverage for banner detection; low fidelity for true exploitability. Expect false priority inflation on distro-backported packages.

STEP 02

Wait for a victim to use scp to a hostile endpoint

To weaponize the issue, the attacker needs the target host's user or automation to invoke legacy scp against a malicious server, or to intercept that session. This is a very different prerequisite from 'host exposes SSH'. It implies either social engineering, supply-chain trust in the remote endpoint, or an existing position for MITM.

Conditions required:

Affected host is used as an scp client
User or automation initiates file transfer
Remote endpoint is malicious or traffic can be intercepted

Where this breaks in practice:

Many servers never originate scp transfers at all
Host key checking and pinned known_hosts reduce first-use MITM success
Modern workflows often use sftp, rsync, package repos, artifacts, or config management instead of raw scp

Detection/coverage: Network vuln scanners do not validate this step. EDR, shell history, process exec telemetry, and SSH client logs are better sources.

STEP 03

Abuse legacy scp filename and output handling

A malicious server returns crafted filenames or output so the client may overwrite unexpected local files, hide extra files in transfer output, or manipulate directory permissions. The strongest impact in this set is CVE-2019-6111, where recursive transfers can let the server write attacker-controlled content into paths under the target directory tree.

Conditions required:

Legacy scp protocol is in use
Vulnerable scp client code path reached
Client accepts data from hostile server

Where this breaks in practice:

Blast radius is limited to what the invoking user can write
Impact often lands in a working directory, not instant host compromise
Some cases need recursive copy or careful operator deception to matter

Detection/coverage: No strong remote scanner validation. Monitor suspicious scp use, unexpected file writes in admin home directories, and integrity changes under transfer destinations.

STEP 04

Turn file overwrite into something useful

An attacker still has to convert a local overwrite or spoofed transfer into durable access or meaningful damage. That usually means hitting files like shell profiles, scripts, or authorized_keys in a writable path. This is real risk, but it is several steps removed from an inbound server exploit.

Conditions required:

Chosen destination path is security-relevant
Invoking account has useful local privileges
Operator does not notice anomalous transfer behavior

Where this breaks in practice:

Least privilege and non-root transfer accounts sharply reduce impact
EDR/FIM can catch unexpected writes to persistence locations
Many enterprise automations use dedicated service accounts with narrow write scope

Detection/coverage: Best covered by FIM, EDR, and auditd/sysmon-style file creation telemetry rather than perimeter vulnerability scanning.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence this CVE set is in CISA KEV, and I found no authoritative reporting of active mass exploitation campaigns tied to this `scp` client chain.
Proof-of-concept availability	Yes. Public technical detail has existed since Harry Sintonen's advisory, and public exploit/PoC references exist for `CVE-2019-6111` and friends.
EPSS	Mixed but not compelling. Public FIRST-derived views put `CVE-2019-6111` in the low range, while bundled companion CVEs vary; nothing here changes the core reality that exploitation requires a hostile `scp` server or MITM.
KEV status	Not listed in the CISA KEV catalog as of this assessment.
CVSS vector reality check	Tenable keys off `CVE-2019-6110` at `CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N` and `CVE-2019-6111` is `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N` in NVD/Ubuntu views. Those vectors still overstate server urgency because the reachable surface is the outbound `scp` client workflow.
Affected versions	Upstream OpenSSH before `8.0` is in scope for this plugin. Debian notes the vulnerable code is in the `scp` client; Tenable triggers on any OpenSSH banner `< 8.0`.
Fixed versions and backports	Upstream fix landed in `8.0` on `2019-04-17`. Distros backported earlier: Ubuntu fixed supported releases in `USN-3885-1` on `2019-02-07`; Debian fixed stretch in `1:7.4p1-10+deb9u5` and later completed in `DSA-4387-2` / `1:7.4p1-10+deb9u6`.
Scanner/exposure caveat	Tenable explicitly says it did not test the issues and relied on the application's self-reported version. That is fine for hygiene reporting, bad for urgent exploitability ranking.
Internet exposure context	OpenSSH is everywhere on the internet, but that does not amplify this finding the way it would for an inbound `sshd` RCE. The exposed thing is the server banner; the vulnerable behavior is the client-side legacy `scp` transfer path.
Disclosure and researcher	Earliest publication in this group was `2019-01-10` for `CVE-2018-20685`; the scp issue set was publicly detailed by Harry Sintonen / F-Secure and upstream mitigation shipped in OpenSSH `8.0` on `2019-04-17`.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to IGNORE (1.8/10)

The decisive factor is attacker position: this is not an inbound server exploit, it is a client-side scp trust failure that needs the victim host to initiate a transfer to a malicious or intercepted server. When a remote banner-only plugin points at a workflow-specific outbound client bug, it does not deserve server-patch-queue urgency.

HIGH This plugin overstates *server-side* exposure

MEDIUM Some hosts may still have legitimate client-side hygiene debt

Why this verdict

Requires the victim to use scp as a client against a malicious or MITM endpoint; that is not the same as exposing sshd to the internet
Banner-only detection: Tenable says it relied on self-reported version and did not test the vulnerable behavior
Reachable population collapses fast once you ask the real question: how many of your 10,000 hosts both have old OpenSSH *and* actively pull with legacy scp from untrusted systems?

Why not higher?

A higher severity would make sense for an unauthenticated inbound sshd compromise or for active exploitation evidence, and this is neither. The chain depends on outbound client behavior, often with user or automation participation, and usually yields impact only within the invoking account's local write scope.

Why not lower?

I am not calling this pure nonsense. Old scp clients really can be abused by malicious servers, and if your admin jump boxes or automation nodes still use legacy scp, there is genuine risk. The reason it lands at IGNORE is that the plugin's remote-server framing is the wrong operational queue for that risk.

05 · Compensating Control

What to do — in priority order.

Prefer sftp or rsync — Move routine file-copy workflows off legacy scp where possible. For an IGNORE verdict there is no SLA-driven emergency here, but this is the cleanest structural fix because it removes the risky protocol path entirely.
Constrain admin copy workflows — Limit which hosts are allowed to originate ad-hoc file transfers and keep them on managed jump boxes. If a small admin population is the only place scp is used, you shrink the true exposure population without touching every SSH server.
Watch for risky scp usage — Alert on scp execution from privileged admin hosts, especially recursive pulls from unfamiliar destinations. This is useful because exploitation needs a transfer event; no transfer, no bug path.
Use distro-specific local checks — Favor package/advisory-based local plugins over generic remote version banners. Do this during normal tuning, not as an urgent mitigation, because the real problem here is prioritization noise and backport blind spots.

What doesn't work

Perimeter blocking of inbound SSH alone does not solve this, because the vulnerable action is the host acting as an outbound scp client.
Treating every OpenSSH < 8.0 banner as urgent is counterproductive; many enterprise packages are backported and many servers never use scp client workflows.
A WAF is irrelevant. This is an SSH file-transfer trust problem, not HTTP traffic.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host, not from the scanner. Invoke it as sudo bash ./check_openssh_159491.sh; root is preferred because RPM changelog checks and package metadata are more reliable with full local access. The script returns PATCHED if it finds upstream >= 8.0 or explicit backport evidence for the bundled CVEs, VULNERABLE for likely unpatched upstream-style installs < 8.0, and UNKNOWN when distro packaging prevents a clean answer.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_openssh_159491.sh
# Verify whether Tenable plugin 159491 reflects a real local scp-client issue.
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0 PATCHED, 1 VULNERABLE, 2 UNKNOWN

set -u
CVES='CVE-2018-20685|CVE-2019-6109|CVE-2019-6110|CVE-2019-6111'

have_cmd() { command -v "$1" >/dev/null 2>&1; }

version_ge() {
  # returns 0 if $1 >= $2 using sort -V
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

extract_openssh_ver() {
  local out ver
  if have_cmd ssh; then
    out="$(ssh -V 2>&1)"
    ver="$(printf '%s' "$out" | sed -n 's/.*OpenSSH[_-]\([0-9][0-9.]*\)p\{0,1\}[0-9]*.*/\1/p')"
    [ -n "$ver" ] && { printf '%s' "$ver"; return 0; }
  fi
  return 1
}

check_rpm_backport() {
  local pkg
  for pkg in openssh-clients openssh; do
    if rpm -q "$pkg" >/dev/null 2>&1; then
      if rpm -q --changelog "$pkg" 2>/dev/null | grep -Eiq "$CVES"; then
        return 0
      fi
    fi
  done
  return 1
}

check_dpkg_backport() {
  local f
  for f in \
    /usr/share/doc/openssh-client/changelog.Debian.gz \
    /usr/share/doc/openssh-client/changelog.gz \
    /usr/share/doc/openssh/changelog.Debian.gz \
    /usr/share/doc/openssh/changelog.gz; do
    if [ -r "$f" ] && zgrep -Eiq "$CVES" "$f" 2>/dev/null; then
      return 0
    fi
  done
  return 1
}

main() {
  local ver=""
  if ! ver="$(extract_openssh_ver)"; then
    echo UNKNOWN
    exit 2
  fi

  # Upstream 8.0+ includes the mitigation.
  if version_ge "$ver" "8.0"; then
    echo PATCHED
    exit 0
  fi

  # Distro backport evidence beats upstream-style version strings.
  if have_cmd rpm && check_rpm_backport; then
    echo PATCHED
    exit 0
  fi

  if have_cmd dpkg-query && check_dpkg_backport; then
    echo PATCHED
    exit 0
  fi

  # Old upstream-style versions with no backport evidence are likely vulnerable.
  # If this is a locally built OpenSSH without package metadata, treat as vulnerable.
  if [ -x /usr/local/bin/ssh ] || [ -x /usr/local/sbin/sshd ]; then
    echo VULNERABLE
    exit 1
  fi

  # Packaged distro builds often backport without obvious version bumps.
  # If we cannot prove patching, stay conservative and ask for local package review.
  echo UNKNOWN
  exit 2
}

main "$@"

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not burn your urgent server patch queue on plugin 159491. Suppress or de-prioritize it for remote SSH server exposure, document the rationale, and pivot to a quick scoping exercise on the handful of admin/jump/automation hosts that actually originate legacy scp transfers. For an IGNORE verdict there is no noisgate mitigation SLA and no noisgate remediation SLA action required; document rationale only. If those client hosts are still using legacy scp, fold them into normal hardening work: move workflows to sftp/rsync and patch with distro-supported packages on a routine cycle rather than as an emergency server-side response.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.