Bug 1854145 (CVE-2020-12062)

Summary: CVE-2020-12062 openssh: scp can send duplicate responses to the server upon a utimes system call failure leading to overwrite of arbitrary files
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: crypto-team, dwalsh, jfch, jjelen, lkundrak, mattias.ellert, plautrba, tmraz, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 03:51:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1854146    

Description Guilherme de Almeida Suckevicz 2020-07-06 14:46:06 UTC 
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances."

References:
https://www.openssh.com/txt/release-8.3
https://www.openwall.com/lists/oss-security/2020/05/27/1

Upstream commit:
https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1
https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894
Comment 1 Huzaifa S. Sidhpurwala 2020-07-07 03:51:17 UTC 
Red Hat does not consider this issue as a security flaw. As per upstream:

"Exploitation of this is not likely as utimes(2) does not fail under normal circumstances. Successful exploitation is not silent - the output of scp(1) would show transfer errors followed by the actualfile(s) that were received"

This CVE has been rejected by MITRE.
Comment 2 Huzaifa S. Sidhpurwala 2020-07-07 03:51:22 UTC 
Statement:

Red Hat does not consider this issue as a security flaw. As per upstream:

"Exploitation of this is not likely as utimes(2) does not fail under normal circumstances. Successful exploitation is not silent - the output of scp(1) would show transfer errors followed by the actualfile(s) that were received"

This CVE has been rejected by MITRE.