security Oh SCPt! - 36 year old flaws affecting SCP (OpenSSH, Putty, WinSCP) discovered

[rcmaehl]

Source:
ZDNet

 

Summary:
36 year old flaws in SCP (ran on top of SSH), allow servers to make unauthorized and hidden changes to users

 

Media:

 

Quotes/Excerpts:

Quote

All SCP (Secure Copy Protocol) implementations...since 1983, are vulnerable to four security bugs that allow a malicious SCP server to make unauthorized changes to a client's (user's) system and hide malicious operations in the terminal. The vulnerabilities have been discovered by Harry Sintonen. For our readers that are not familiar with SCP, the protocol is a "secure" implementation of the RCP (Remote Copy Protocol) --a protocol for transferring files across a network. SCP works on top of the SSH protocol and supports an authentication mechanism to provide authenticity and confidentiality for transferred files, just like SSH provides the same thing for the older and insecure Telnet protocol. SCP is the standard file transfer method for OpenSSH, Putty, and WinSCP. Sintonen revealed the existence of four major security bugs affecting SCP implementations: CVE-2018-20685, CVE-2019-6111, CVE-2019-6109, CVE-2019-6110. The issues have their roots in the original BSD implementation of the RCP protocol... all SCP implementations in the past 36 years are affected. At the time of writing, only the WinSCP team has addressed the reported issues. If patching is not an option... users are advised to configure SCP clients to request files via SFTP (Secure FTP). It should be noted that any attacks that may try to exploit these vulnerabilities rely on a malicious party taking over an SCP server, or being in a Man-in-the-Middle position.

My Thoughts:

Big OOF. 36 years is quite a long time for an exploit like this to go undiscovered. While I don't use OpenSSH personally for file transfer, I do know several people that use it as such and would be affected by this, especially in the server admin community. Definitely something that needs to be kept an eye on until the software you used is patched.

Edited January 15, 2019 by rcmaehl
Forgot to link text of source.

[Ashleyyyy]

wait isn't openSSH bundeled with most Linux distro's? or am i wrong there?

[Epic Wink]

OpenSSH is an implementation of SSH, and is used everyday by millions of people.

 

I use SCP rarely: it has no optimisation on utilisation of connections, and is generally vastly inferior to uploading your data to a storage server (eg AWS S3) and downloading it at the other end, all using HTTPS

[r2724r16]

10 minutes ago, rcmaehl said:

36 year old flaws in SCP

SCP: Secure Contain Protect

[WereCatf]

6 minutes ago, firelighter487 said:

wait isn't openSSH bundeled with most Linux distro's? or am i wrong there?

Yes, it is.

[HarryNyquist]

Only the first bug number returns anything related to SCP. The other 3 don't return anything. Am I missing something?

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685

Quote

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename.

And this one looks to be fixed:

https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2

 

So I'm a bit confused.

[Ashleyyyy]

Just now, WereCatf said:

Yes, it is.

....so most Linux installs are vunerable to this? 

[Linus_torvalds]

I always use SFTP

[Linus_torvalds]

Just now, firelighter487 said:

....so most Linux installs are vunerable to this? 

No, most linux installs are done by specialists in the networking and system administration and OP has wrote when can someone use this vulnerabilities to attack.

Also this is not microsoft. These vulnerabilities will be patched in 2 days at max.

[WereCatf]

I use scp quite a lot, myself. I spend quite a lot of time in the command-line, and it's just so quick and easy to hammer out

scp thisfile user@server:/whereIwantthefile/

 

[Ashleyyyy]

2 minutes ago, mate_mate91 said:

Also this is not microsoft. These vulnerabilities will be patched in 2 days at max.

that kinda scares me because AFAIK ssh is bundeled in with Windows 10 as well... 

[Linus_torvalds]

1 minute ago, firelighter487 said:

that kinda scares me because AFAIK ssh is bundeled in with Windows 10 as well... 

This is NOT ssh vulnerabilitis, it's SCPs.

[WereCatf]

2 minutes ago, mate_mate91 said:

No, most linux installs are done by specialists in the networking and system administration

That's a stupid argument. The installations being done by "specialists" is only helpful, if the specialists are aware of the vulnerabilities, but since these vulnerabilities are apparently newly-discovered, those "specialists" can't be aware of them and therefore haven't done any mitigations.

[Linus_torvalds]

Just now, WereCatf said:

That's a stupid argument. The installations being done by "specialists" is only helpful, if the specialists are aware of the vulnerabilities, but since these vulnerabilities are apparently newly-discovered, those "specialists" can't be aware of them and therefore haven't done any mitigations.

I used those arguments against these " taking over an SCP server, or being in a Man-in-the-Middle position." Because OP wrote that to use those vulnerabilities you must do one of those two things

[Ashleyyyy]

3 minutes ago, mate_mate91 said:

This is NOT ssh vulnerabilitis, it's SCPs.

the OP has openSSH mentioned in it... can you explain what exactly is the issue? 

[WereCatf]

Just now, firelighter487 said:

the OP has openSSH mentioned in it... can you explain what exactly is the issue? 

OpenSSH is a specific implementation of the SSH-protocol. It doesn't mean that all SSH-libraries are vulnerable, just that OpenSSH is. There are plenty of other SSH-implementations out there and AFAIK Windows doesn't use OpenSSH.

[WereCatf]

3 minutes ago, mate_mate91 said:

I used those arguments against these " taking over an SCP server, or being in a Man-in-the-Middle position." Because OP wrote that to use those vulnerabilities you must do one of those two things

And? I assume you have no idea how widely SSH is by all the various sysadmins to do remote tasks, and if the admins themselves aren't the owners of the remote-servers they're connecting to, they may not know the server has been compromised.

[Linus_torvalds]

3 minutes ago, firelighter487 said:

the OP has openSSH mentioned in it... can you explain what exactly is the issue? 

Do not worry. WereCatf already answered you. Also if anyone is worried just configure your scp to request files with sftp. That's it. If you really want scp just wait for patches.

[Linus_torvalds]

Just now, WereCatf said:

And? I assume you have no idea how widely SSH is by all the various sysadmins to do remote tasks, and if the admins themselves aren't the owners of the remote-servers they're connecting to, they may not know the server has been compromised.

SSH is not a problem. You can use ssh (Well if someone did not discover vulnerabilities in it's implementation minutes ago :D) as long as you configure scp to request files via sftp you are secured!

[yian88]

if its not a bug inside ssh/openssh itself then we good

[colonel_mortis]

That's an impressively severe bug to have lasted for 36 years across multiple implementations without anyone noticing. It does only affect you if you use SCP to copy a file to a malicious (or compromised) server, so unless you consciously use SCP (which is, at least for me, a tool that is quite useful but only occasionally) it probably won't affect you.

[ZacoAttaco]

Interesting read, I always enjoy @rcmaehl posts on cyber-security issues so keep it up!

[bcredeur97]

thanks to the OP, I was the first one to hear about this at work.

 

So thank you, and keep it up @rcmaehl

[Techstorm970]

2 hours ago, rcmaehl said:

Oh SCPt!

Masterful title work!  

 

[related to post]

There's something I'd like to point out, though.  Humans aren't perfect, so we can never make anything that IS perfect.  Having said that, for this SCP thing to have an exploit discovered after 36 YEARS, I'd say it's pretty damn secure.  That's a lot of years before somebody breached it.  I'm impressed!

[Drak3]

2 minutes ago, Techstorm970 said:

Having said that, for this SCP thing to have an exploit discovered after 36 YEARS, I'd say it's pretty damn secure.  That's a lot of years before somebody breached it.  I'm impressed!

Chief, seldom do these exploits get discovered by white hats or developers before black and grey hats.