OpenSSH has a vulnerability in the scp client utility. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys). External Reference: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt Proposed Patch: https://sintonen.fi/advisories/scp-name-validator.patch
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1666128]
Analysis: This is a flaw in the scp client (/usr/bin/scp) shipped as a part of openssh-clients package. The flaw essentially allows a malicious scp server to possibly overwrite arbitrary files in the scp client target directory or if recursive operation (-r) is chosen than the server can manipulate subdirectories on the client machine as well, subject to the file/directory permissions. To trigger this flaw, the scp client needs to either connect to a malicious scp server or connect to a MITM scp server. Connecting to a MITM server will require the client to accept the new host key, which essentially implies that either the scp server (which the client previously connected to) has changed or there is a possible MITM attempt, both of which should be investigated by the system administrator before going ahead with the connection. Also note that, since this is a flaw in the scp utility, the SSH client is not affected.
Statement: This issue affects the scp client shipped with openssh. The SSH protocol or the SSH client is not affected. For more detailed analysis please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1666127#c2
Mitigation: This issue only affects the users of scp binary which is a part of openssh-clients package. Other usage of SSH protocol or other ssh clients is not affected. Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removal of openssh-clients package will make the packaged binaries like scp, ssh etc unavailable. Note: This flaw requires a malicious MITM scp server for exploitation. Use cases where trusted SCP servers are used are not affected by this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3702 https://access.redhat.com/errata/RHSA-2019:3702
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-6111