Decades-Old Flaws Leave SCP Clients Vulnerable To Attack

Security flaws dating back 36 years, to 1983, have been found to affect past and current versions of Secure Copy Protocol (SCP) implementations, a secure file-transfer protocol used in popular tools such as OpenSSH, PuTTy and WinSCP.

The bugs could allow a malicious SCP server to make unauthorised changes to files on a client’s system and to hide malicious operations, said researcher Harry Sintonen of F-Secure.

Sintonen said he has been working with vendors to patch the issues since last August, but at present they have only been addressed in WinSCP, which addresses them in release 5.14, issued in October 2018.

SCP is a secure version of the Remote Copy Protocol (RCP), and the issues arise from RCP, Sintonen said.

Decades-old flaws

He said one of the issues is caused by SCP clients failing to verify whether the objects sent by the SCP server are identical to those that were asked for, meaning that altered documents can be sent.

“This issue dates back to 1983 and RCP, on which SCP is based,” Sintonen said in an advisory.

A separate issue in SCP clients allows target directory attributes to be changed arbitrarily, while two further client bugs allow servers to spoof client output, Sintonen said.

Because the bugs could allow a malicious server to overwrite arbitrary files on a client’s system, including critical system files, they can effectively be used to execute malicious code on that system, Sintonen said.

He noted that the attacks rely on the client connecting to a malicious server, which could, for instance, be a legitimate server that has been taken over by attackers.

Sintonen advised users to switch to patched clients if possible, or, if not, to use alternative protocols such as SFTP.