6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.007 Low
EPSS
Percentile
77.9%
A set of 36-year-old vulnerabilities has been uncovered in the Secure Copy Protocol (SCP) implementation of many client applications that can be exploited by malicious servers to overwrite arbitrary files in the SCP client target directory unauthorizedly.
Session Control Protocol (SCP), also known as secure copy, is a network protocol that allows users to securely transfer files between a local host and a remote host using RCP (Remote Copy Protocol) and SSH protocol.
In other terms, SCP, which dates back to 1983, is a secure version of RCP that uses authentication and encryption of SSH protocol to transfer files between a server and a client.
Discovered by Harry Sintonen, one of F-Secure’s Senior Security Consultants, the vulnerabilities exist due to poor validations performed by the SCP clients, which can be abused by malicious servers or man-in-the-middle (MiTM) attackers to drop or overwrite arbitrary files on the client’s system.
> “Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output,” Sintonen explained.
In a specific attack scenario, an attacker-controlled server can drop .bash_aliases file to the victim’s home directory, which will trick the system into executing malicious commands within it as soon as the Linux user launches a new shell.
As explained by the researcher, “the transfer of extra files is hidden by sending ANSI control sequences via stderr.”
According to the advisory, the following-mentioned vulnerabilities were discovered in August last year, which were then responsibly reported to developers of vulnerable clients, including OpenSSH, PuTTY, and WinSCP.
Since the vulnerabilities impact the implementation of the SCP protocol, all SCP client applications, including OpenSSH, PuTTY, and WinSCP, which uses SCP as a standard to transfer files are affected.
WinSCP addressed the issues with the release of version 5.14 last October, and the patch is also included in the current version 5.14.4.
CVE-2018-20685 was patched in OpenSSH’s implementation of the SCP protocol in November, though the fix has not been formally released by the vendor yet. The rest three vulnerabilities remain unpatched in version 7.9, the latest version released in October.
However, if you are worried of malicious SCP server pwning you, you can configure your systems to use SFTP (Secure FTP) if possible.
Alternatively, Sintonen has also provided a fix to harden SCP against most server-side manipulation attempts, which you can apply directly, though it may cause some problems.
It seems like PuTTY has not fixed the vulnerabilities yet, since the last PuTTY release was version 0.7 in July 2017.
Users who think the vulnerabilities might impact them are recommended to keep an eye on the patches and apply them as soon as they become available for your client applications.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.007 Low
EPSS
Percentile
77.9%