SCP deployments affected by security flaws of 36 years

All of them have an impact on OpenSSH, Putty and WinSCP. WinSCP patches available.

All SCP (Secure Copy Protocol) implementations from the last 36 years since 1983 are vulnerable to four security bugs that allow a malicious SCP server to make unauthorized changes to the (user) system of a client and hide malicious operations in the device.

The vulnerabilities have been identified by Harry Sintonen, a security researcher with Finnish cyber security firm F-Secure, who has been working since August of last year to fix and patch them in the major SCP protocol applications.
For our readers not familiar with SCP, the protocol is a “secure ” RCP (Remote Copy Protocol) implementation-a protocol for transferring files over a network.

SCP operates in addition to the SSH protocol and supports an authentication mechanism to provide authenticity and confidentiality for transferred files, just as SSH provides the same for the older and unsafe Telnet protocol. Start using free ssh vulnerability scanner online to prevent from hacker.

SCP has been used as a standalone app under the same name since its first release back in 1983, but has also been included in other apps. For instance, SCP is the standard method of file transfer for OpenSSH, Putty and WinSCP.

Whenever users transfer files (or vice versa) between a server and a client via these apps, they are transferred via the SCP protocol, unknown to the user, unless users have chosen to use the SFTP protocol as the default mode for data transfer.

In a security advisory published last week on his personal website, Sintonen revealed that there are four major security bugs affecting SCP implementation:

CVE-2018-20685- A SCP client app allows a remote SCP server to modify the target directory’s permissions.

CVE-2019-6111- An SCP malicious server can overwrite arbitrary files in the target directory of the SCP client. If a recursive (-r) operation is carried out, the server can also manipulate sub-directories (e.g. overwrite.ssh/authorized keys).

CVE-2019-6109- ANSI code can be used to manipulate terminal client output to hide subsequent operations.

CVE-2019-6110- Relative to the above, the problems are rooted in the original implementation of the RCP protocol by the BSD, which means that all SCP implementations in the last 36 years have been affected to a different extent.

Only the WinSCP team addressed the problems reported with the release of WinSCP 5.14 at the time of writing.

SCP implementation Version #1 #2 #3 #4
OpenSSH SCP <=7.9 x x x x
PuTTY PSCP ? x x
WinSCP SCP mode <=5.13 x

If patching is not an option or out of the user’s control, SCP clients should be configured to request files via SFTP (Secure FTP).

It should be noted that any attacks that may attempt to exploit these vulnerabilities depend on a malicious party that takes over a SCP server or is in a man-in – the-middle position, although the MitM attack may be easier to detect because the victim needs to accept the wrong host fingerprint.

After the publication date of this article, users who believe they may be affected can keep an eye on Sirtonen’s security advisory for updated information on upcoming patches for other SCP clients. We will do our best to update this article.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.