SCP implementations impacted by 36-years-old security flaws

OpenSSH, Putty, and WinSCP are all impacted. Patches available for WinSCP.

SCP vulnerabilities

All SCP (Secure Copy Protocol) implementations from the last 36 years, since 1983, are vulnerable to four security bugs that allow a malicious SCP server to make unauthorized changes to a client's (user's) system and hide malicious operations in the terminal.

The vulnerabilities have been discovered by Harry Sintonen, a security researcher with Finnish cyber-security firm F-Secure, who's been working since August last year to have them fixed and patched in the major apps that support the SCP protocol.

For our readers that are not familiar with SCP, the protocol is a "secure" implementation of the RCP (Remote Copy Protocol) --a protocol for transferring files across a network.

SCP works on top of the SSH protocol and supports an authentication mechanism to provide authenticity and confidentiality for transferred files, just like SSH provides the same thing for the older and insecure Telnet protocol.

Since its first release back in 1983, SCP has been used as a standalone app under the same name but has also been embedded inside other apps. For example, SCP is the standard file transfer method for OpenSSH, Putty, and WinSCP.

Whenever users transfer files between a server and client (or vice versa) via these apps, those transfer are, unbeknownst to the user, transferred via the SCP protocol --unless users have chosen to use the SFTP protocol as the default mode for data transfers.

In a security advisory published on his personal website last week, Sintonen revealed the existence of four major security bugs affecting SCP implementations:

  1. CVE-2018-20685 - An SCP client app allows a remote SCP server to modify permissions of the target directory.
  2. CVE-2019-6111 - A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).
  3. CVE-2019-6109 - The terminal client output can be manipulated via ANSI code to hide subsequent operations.
  4. CVE-2019-6110 - Similar as above.

The issues have their roots in the original BSD implementation of the RCP protocol, meaning all SCP implementations in the past 36 years are affected, although, to a different degree.

SCP implementation

Version

#1

#2

#3

#4

OpenSSH SCP

<=7.9

x

x

x

x

PuTTY PSCP

?

-

-

x

x

WinSCP SCP mode

<=5.13

-

x

-

-

Sintonen recommends applying any available patches for the listed clients. At the time of writing, only the WinSCP team has addressed the reported issues, with the release of WinSCP 5.14.

If patching is not an option or out of the user's control, users are advised to configure SCP clients to request files via SFTP (Secure FTP) if possible.

It should be noted that any attacks that may try to exploit these vulnerabilities rely on a malicious party taking over an SCP server, or being in a Man-in-the-Middle position, although the MitM attack might be easier to spot as it requires the victim to accept the wrong host fingerprint.

Users who believe they might be impacted can keep an eye on Sirtonen's security advisory for updated information for upcoming patches to other SCP clients, after this article's publication date. We'll do our best to keep this article up to date.

More cybersecurity news: