OpenSSH has a vulnerability in the scp client utility. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1666128]
This is a flaw in the scp client (/usr/bin/scp) shipped as a part of openssh-clients package. The flaw essentially allows a malicious scp server to possibly overwrite arbitrary files in the scp client target directory or if recursive operation (-r) is chosen than the server can manipulate subdirectories on the client machine as well, subject to the file/directory permissions.
To trigger this flaw, the scp client needs to either connect to a malicious scp server or connect to a MITM scp server. Connecting to a MITM server will require the client to accept the new host key, which essentially implies that either the scp server (which the client previously connected to) has changed or there is a possible MITM attempt, both of which should be investigated by the system administrator before going ahead with the connection.
Also note that, since this is a flaw in the scp utility, the SSH client is not affected.
This issue affects the scp client shipped with openssh. The SSH protocol or the SSH client is not affected. For more detailed analysis please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1666127#c2