Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 733802 (CVE-2020-15778)

Summary: <net-misc/openssh-9.0_p1: Command injection via scp (CVE-2020-15778)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: 89q1r14hd, base-system, bertrand, fturco, hanno, pacho, tanekliang, ulm
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/cpandya2909/CVE-2020-15778/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=734024
Whiteboard: B1 [stable?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 17:55:05 UTC
CVE-2020-15778:

scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 17:56:14 UTC
Upstream's reply from $URL:

The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-24 21:12:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9c13abcdabcbde0e879fcff5b650216e8649ebb

commit b9c13abcdabcbde0e879fcff5b650216e8649ebb
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2020-07-24 21:10:03 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-07-24 21:10:11 +0000

    net-misc/openssh-8.3_p1-r3: Add default-off USE flag for scp (bug #733802)
    
    Bug: https://bugs.gentoo.org/733802
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/metadata.xml             |   1 +
 net-misc/openssh/openssh-8.3_p1-r3.ebuild | 498 ++++++++++++++++++++++++++++++
 2 files changed, 499 insertions(+)
Comment 3 Kevin Korb 2020-07-26 00:41:45 UTC
I am a big fan of rsync so this doesn't bother me a bit but I thought I would point out another alternative (that I don't actually use)...

Putty's pscp command is command line compatible with scp but it uses (by default) sftp so it is immune from these problems.  It will use an authentication agent if you have one however it uses a different key file format and it will not use your ssh_config file settings if you have them.
Comment 4 Sergey 'L29Ah' Alirzaev 2020-07-27 07:17:47 UTC
Return scp plz. Not having scp installed does nothing to alleviate the vulnerability.
Comment 5 Larry the Git Cow gentoo-dev 2020-07-27 21:19:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0dc8c82d4cd5ad3976601916b0afe4f9427f513b

commit 0dc8c82d4cd5ad3976601916b0afe4f9427f513b
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2020-07-27 17:17:48 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-07-27 21:19:30 +0000

    net-misc/openssh-9.3_p1-r4: Default enable the scp USE flag (bug #733802)
    
    Bug: https://bugs.gentoo.org/733802
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/{openssh-8.3_p1-r3.ebuild => openssh-8.3_p1-r4.ebuild} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Hanno Böck gentoo-dev 2020-11-09 08:36:32 UTC
Some update here, it seems there is work happening on replacing the "scp" command with something that works like scp (i.e. mostly syntax-compatible), but uses the sftp protocol internally.

https://lwn.net/SubscriberLink/835962/ae41b27bc20699ad/
https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-June/038594.html
https://github.com/openssh/openssh-portable/pull/194

Discussion in the pull request sounds to me this will eventually end up in default openssh and hopefully resolve this for good.
Comment 7 Niklāvs Koļesņikovs 2022-02-28 09:33:58 UTC
It seems that OpenSSH 8.7_p1-r1 already includes support for the `-s` switch which would still have been disabled in that version, unless Gentoo patched the source to make it run. However I have verified that OpenSSH 8.8_p1-r4 does have it available.

Since `scp -s` now exists as an alternative that avoids the the legacy rcp protocol in favor of the sftp protocol, is there anything else needed before this CVE can be considered addressed?
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-28 15:08:13 UTC
(In reply to Niklāvs Koļesņikovs from comment #7)
> It seems that OpenSSH 8.7_p1-r1 already includes support for the `-s` switch
> which would still have been disabled in that version, unless Gentoo patched
> the source to make it run. However I have verified that OpenSSH 8.8_p1-r4
> does have it available.
> 
> Since `scp -s` now exists as an alternative that avoids the the legacy rcp
> protocol in favor of the sftp protocol, is there anything else needed before
> this CVE can be considered addressed?

Yes. It generally needs to be fixed rather than worked around.
Comment 9 Niklāvs Koļesņikovs 2022-02-28 15:33:44 UTC
Admittedly I only have a broad overview of this CVE but my understanding of the upstream position is that the the legacy scp is what it is and those who do not find CVE-2020-15778 and any issues like it an acceptable risk, should be using rsync, sftp or the new `scp -s` instead.

As such it might make sense to either patch OpenSSH to turn the sftp mode on by default or to mask the scp USE flag.
Comment 10 Mike Gilbert gentoo-dev 2022-02-28 17:10:51 UTC
I figure we will wait until upstream switches the default to SFTP, and then drop the "scp" USE flag.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-08 15:08:48 UTC
Seemingly fixed in 9.0:

Potentially-incompatible changes
--------------------------------

This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.

In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.