These flaws could lead to remote code execution on compromised systems
According to experts in network security and
ethical hacking from the International Institute of Cyber Security, a set of
36-year-old vulnerabilities in the implementation of the Secure Copy Protocol (SCP) of multiple
client applications has been discovered; vulnerabilities could be exploited by
malicious users to arbitrary files overwriting in the SCP client’s destination
directory without authorization.
The SCP (also known as Session Control
Protocol) is a network protocol that allows users to safely transfer files
between a local and a remote host using the Remote Copy Protocol (RCP) and the
SSH protocol.
In other words, the SCP protocol, created in
1983, is a secure version of RCP that requires authentication and encryption of
the SSH protocol to transfer files between the server and the client, as
mentioned by experts in network security.
The vulnerabilities, discovered by the
cybersecurity expert Harry Toney, exist due to the deficient validations made
by SCP clients, which could be exploited by malicious servers or by using some
variant of the attack Man-In-the-Middle (MiTM) to arbitrarily delete or
overwrite files on the client system.
“Many SCP clients do not verify whether the
objects returned by the SCP server match the requests. This problem goes back
to the year 1983 and the RCP protocol, on which SCP is based,” the expert
mentioned.
An attacker-controlled server could place a .bash_aliases
file in the victim’s home directory, tricking the system into executing
malicious commands as soon as the Linux user starts a new shell.
Multiple
vulnerabilities
According to the report, the vulnerabilities
were discovered and reported to potentially compromised clients last August.
The list of vulnerabilities features:
- Incorrect
validation of the SCP client directory name (CVE-2018-20685) - The
SCP client did not receive the validation of the name of the received object
(CVE-2019-6111) - Counterfeit
client SCP through object name (CVE-2019-6109) - SCP
Client spoofing using stderr (CVE-2019-6110)
Because vulnerabilities affect the
implementation of the SCP protocol, all SCP client applications, including OpenSSH,
Putty, and WinSCP, uses SCP as the standard for transferring files. WinSCP
solved the problems with the release of version 5.14 last October, and the
patch is also included in the current version 5.14.4.
The vulnerability CVE-2018-20685 was corrected
in the implementation of the SCP protocol last November, although the
correction has not been officially published by the providers. The other three
vulnerabilities remain unpatched.
However, if you are concerned about a malicious
SCP server had compromised your system, you can configure it to use SFTP
(secure FTP) if possible. Alternatively, the network security expert also
provided a solution to reinforce SCP against most server-side manipulation
attempts, which you can apply directly, although it may cause some problems.
Possibly affected users are encouraged to stay
on the lookout for the release of security patches as well as apply them to
their systems as soon as they are available.
