36-year-old vulnerabilities in SCP

Dolphin and Mercury Android browsers have major vulnerabilities

These flaws could lead to remote code execution on compromised systems

According to experts in network security and ethical hacking from the International Institute of Cyber Security, a set of 36-year-old vulnerabilities in the implementation of the Secure Copy Protocol (SCP) of multiple client applications has been discovered; vulnerabilities could be exploited by malicious users to arbitrary files overwriting in the SCP client’s destination directory without authorization.

The SCP (also known as Session Control Protocol) is a network protocol that allows users to safely transfer files between a local and a remote host using the Remote Copy Protocol (RCP) and the SSH protocol.

In other words, the SCP protocol, created in 1983, is a secure version of RCP that requires authentication and encryption of the SSH protocol to transfer files between the server and the client, as mentioned by experts in network security.

The vulnerabilities, discovered by the cybersecurity expert Harry Toney, exist due to the deficient validations made by SCP clients, which could be exploited by malicious servers or by using some variant of the attack Man-In-the-Middle (MiTM) to arbitrarily delete or overwrite files on the client system.

“Many SCP clients do not verify whether the objects returned by the SCP server match the requests. This problem goes back to the year 1983 and the RCP protocol, on which SCP is based,” the expert mentioned.

An attacker-controlled server could place a .bash_aliases file in the victim’s home directory, tricking the system into executing malicious commands as soon as the Linux user starts a new shell.

Multiple vulnerabilities

According to the report, the vulnerabilities were discovered and reported to potentially compromised clients last August. The list of vulnerabilities features:

  • Incorrect validation of the SCP client directory name (CVE-2018-20685)
  • The SCP client did not receive the validation of the name of the received object (CVE-2019-6111)
  • Counterfeit client SCP through object name (CVE-2019-6109)
  • SCP Client spoofing using stderr (CVE-2019-6110)

Because vulnerabilities affect the implementation of the SCP protocol, all SCP client applications, including OpenSSH, Putty, and WinSCP, uses SCP as the standard for transferring files. WinSCP solved the problems with the release of version 5.14 last October, and the patch is also included in the current version 5.14.4.

The vulnerability CVE-2018-20685 was corrected in the implementation of the SCP protocol last November, although the correction has not been officially published by the providers. The other three vulnerabilities remain unpatched.

However, if you are concerned about a malicious SCP server had compromised your system, you can configure it to use SFTP (secure FTP) if possible. Alternatively, the network security expert also provided a solution to reinforce SCP against most server-side manipulation attempts, which you can apply directly, although it may cause some problems.

Possibly affected users are encouraged to stay on the lookout for the release of security patches as well as apply them to their systems as soon as they are available.