Bug 1854145 (CVE-2020-12062) - CVE-2020-12062 openssh: scp can send duplicate responses to the server upon a utimes system call failure leading to overwrite of arbitrary files
Summary: CVE-2020-12062 openssh: scp can send duplicate responses to the server upon a...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-12062
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1854146
TreeView+ depends on / blocked
 
Reported: 2020-07-06 14:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-07-16 12:42 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-07 03:51:17 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-07-06 14:46:06 UTC
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances."

References:
https://www.openssh.com/txt/release-8.3
https://www.openwall.com/lists/oss-security/2020/05/27/1

Upstream commit:
https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1
https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894

Comment 1 Huzaifa S. Sidhpurwala 2020-07-07 03:51:17 UTC
Red Hat does not consider this issue as a security flaw. As per upstream:

"Exploitation of this is not likely as utimes(2) does not fail under normal circumstances. Successful exploitation is not silent - the output of scp(1) would show transfer errors followed by the actualfile(s) that were received"

This CVE has been rejected by MITRE.

Comment 2 Huzaifa S. Sidhpurwala 2020-07-07 03:51:22 UTC
Statement:

Red Hat does not consider this issue as a security flaw. As per upstream:

"Exploitation of this is not likely as utimes(2) does not fail under normal circumstances. Successful exploitation is not silent - the output of scp(1) would show transfer errors followed by the actualfile(s) that were received"

This CVE has been rejected by MITRE.


Note You need to log in before you can comment on or make changes to this bug.