Decades-Old Flaws Leave SCP Clients Vulnerable To Attack

Security flaws dating back 36 years, to 1983, have been found to affect past and current versions of Secure Copy Protocol (SCP) implementations, a secure file-transfer protocol used in popular tools such as OpenSSH, PuTTy and WinSCP.

The bugs could allow a malicious SCP server to make unauthorised changes to files on a client’s system and to hide malicious operations, said researcher Harry Sintonen of F-Secure.

Sintonen said he has been working with vendors to patch the issues since last August, but at present they have only been addressed in WinSCP, which addresses them in release 5.14, issued in October 2018.

SCP is a secure version of the Remote Copy Protocol (RCP), and the issues arise from RCP, Sintonen said.

Decades-old flaws

He said one of the issues is caused by SCP clients failing to verify whether the objects sent by the SCP server are identical to those that were asked for, meaning that altered documents can be sent.

“This issue dates back to 1983 and RCP, on which SCP is based,” Sintonen said in an advisory.

A separate issue in SCP clients allows target directory attributes to be changed arbitrarily, while two further client bugs allow servers to spoof client output, Sintonen said.

Because the bugs could allow a malicious server to overwrite arbitrary files on a client’s system, including critical system files, they can effectively be used to execute malicious code on that system, Sintonen said.

He noted that the attacks rely on the client connecting to a malicious server, which could, for instance, be a legitimate server that has been taken over by attackers.

Sintonen advised users to switch to patched clients if possible, or, if not, to use alternative protocols such as SFTP.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago