A set of 36-year-old vulnerabilities have been discovered in the Security Copy Protocol (SCP) clients, a network protocol that uses Secure Shell (SSH) to transfer data between a local host and remote host.
The bugs allow a malicious SCP server to change data on a client’s (user’s) system and conceal any malicious operations, said security researcher Harry Sintonen of F-Secure.
Sintonen said he has been working with vendors to fix the bugs since August last year, but only the WinSCP team has addressed the issue, with the release of WinSCP 5.14 in October 2018.
Security vulnerabilities discovered
One of the vulnerabilities in SCP, Sintonen explained, is the result of the clients failing to verify whether the object returned by the SCP server match those it asked for.
The consequences are severe, as an attacker who controls the server can drop “arbitrary files to the SCP target directory, change the target directory permissions and spoof the client output”.
These vulnerabilities affect the SCP client implementation in Red Hat, Debian, and SUSE Linux, OpenSSH version 7.9 and earlier, as well as some version of WinSCP.
“Due to the SCP implementation being derived from 1983 RCP, the server chooses which files/directories are sent to the client. However, SCP client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys),” the advisory from Sintonen says.
Another vulnerability that Sintonen identified is the way SCP clients check the name of the directory of which files are being transferred.
“With the help of empty (“D0777 0 \n”) or dot (“D0777 0 .\n”) directory name, the SCP client permits the server to modify permissions of the target directory,” the advisory says.
Sintonen also discovered two other vulnerabilities which can be used to manipulate the client output and hide any additional files being transferred.
How to overcome security vulnerabilities?
Additionally, Sintonen advised users to use the protocol SFTP or apply the “https://sintonen.fi/advisories/scp-name-validator.patch” for hardening SCP against server-side manipulation attempts.