Bug 1860487 (CVE-2020-15778) - CVE-2020-15778 openssh: scp allows command injection when using backtick characters in the destination argument
Summary: CVE-2020-15778 openssh: scp allows command injection when using backtick char...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-15778
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1860488 1860749 1860750 1860751 1860752 1860753 1860754 1860755 1860756 1860758 1860759
Blocks: 1860489
TreeView+ depends on / blocked
 
Reported: 2020-07-24 18:29 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-03-27 20:38 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the scp program shipped with the openssh-clients package. An attacker having the ability to scp files to a remote server, could execute arbitrary commands on the remote server by including the command as a part of the filename being copied on the server. This command is run with the permissions of user with which the files were copied on the remote server. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-05-06 08:33:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-07-24 18:29:17 UTC 
scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Reference:
https://www.openssh.com/security.html
Comment 1 Guilherme de Almeida Suckevicz 2020-07-24 18:29:36 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1860488]
Comment 3 Simo Sorce 2020-07-24 19:58:10 UTC 
Reproducer: https://github.com/cpandya2909/CVE-2020-15778
Can be reproduce in 1 minute.
Comment 22 Huzaifa S. Sidhpurwala 2020-08-11 15:32:36 UTC 
External References:

https://access.redhat.com/articles/5284081
https://github.com/cpandya2909/CVE-2020-15778
Comment 23 Huzaifa S. Sidhpurwala 2020-08-11 15:33:04 UTC 
Mitigation:

As per upstream, because of the way scp is based on a historical protocol called rcp which relies on that style of argument passing and therefore encounters expansion problems. Making changes to how the scp command line works breaks the pattern used by scp consumers. Upstream therefore recommends the use of rsync in the place of scp for better security. More details about supported alternatives available at: https://access.redhat.com/articles/5284081
Comment 27 Huzaifa S. Sidhpurwala 2021-04-02 08:14:07 UTC 
Statement:

This security flaw lies in the way scp command parses its command line arguments. The SSH protocol or any other applications shipped as a part of openssh-clients packages are not vulnerable.

In order to exploit this flaw, the attacker needs to social engineer or manipulate a system administrator (who has root access on the remote server)  to run scp with a malicious command line parameter. 

Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removing the openssh-clients package will make binaries like scp and ssh etc unavailable on that system. Also administrators can change the execute permissions on the scp binary. However this mitigation will be in place until the openssh-clients package is updated.
Comment 28 Product Security DevOps Team 2021-05-06 08:33:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15778
Note You need to log in before you can comment on or make changes to this bug.