35yr old vulnerability found in SCP

By | January 16, 2019

Just because its been out for a long time, and has Secure in the name, doesn’t mean its totally safe, whoops…

In this advisory the following vulnerability in SCP is described,


SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation.

Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.

Impact —— Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output.

….


The following software packages have some or all vulnerabilities: ver #1 #2 #3 #4 OpenSSH scp <=7.9 x x x x PuTTY PSCP ? – – x x WinSCP scp mode <=5.13 – x – – Tectia SSH scpg3 is not affected since it exclusively uses sftp protocol.

Summary
Article Name
scp client multiple vulnerabilities
Description
SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation.
Author
Harry Sintonen / F-Secure Corporation