36-year-old tools that use SCP protocol found vulnerable to four security bugs
- The bugs can be exploited by malicious servers to make unauthorized changes to a client’s system.
- The bugs can also be abused to hide malicious operations on a client’s system.
All tools that support Secure Copy Protocol from the last 36 years have been found to be vulnerable to four security bugs. These bugs can be exploited by malicious servers to make unauthorized changes to a client’s system and hide malicious operations in the terminal.
About the bugs
The vulnerabilities have been discovered by Harry Sintonen, a security researcher from cybersecurity firm F-Secure.
Tracked as CVE-2018-20685, CVE-2019-6111, CVE-2019-6109 and CVE-2019-6110, the flaws exist in the original BSD implementation of the RCP protocol. This means all SCP implementations that were done in the last 36 years are affected by the bugs.
"Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output,” Sintonen explained in his disclosure.
While CVE-2018-20685 can allow a remote SCP server to modify permissions on the targeted directory of an SCP client app, CVE-2019-6111 exploitation can result in overwriting of arbitrary files in the SCP client targeted directory. By exploiting CVE-2019-6109 and CVE-2019-6110, the malicious server can manipulate the terminal client output via ANSI code and hide malicious operations.
Which software are impacted?
OpenSSH, PuTTY and WinSCP are all impacted by the vulnerabilities.
Presently, security patches are available for WinSCP. WinSCP 5.14 version has been released by the WinSCP team to address the reported issues.