Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733802 (CVE-2020-15778) - <net-misc/openssh-9.0_p1: Command injection via scp (CVE-2020-15778)
Summary: <net-misc/openssh-9.0_p1: Command injection via scp (CVE-2020-15778)
Status: RESOLVED FIXED
Alias: CVE-2020-15778
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://github.com/cpandya2909/CVE-20...
Whiteboard: A1 [glsa+]
Keywords:
Depends on: 866434
Blocks:
  Show dependency tree
 
Reported: 2020-07-24 17:55 UTC by John Helmert III
Modified: 2022-12-28 20:49 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 17:55:05 UTC
CVE-2020-15778:

scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 17:56:14 UTC
Upstream's reply from $URL:

The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-24 21:12:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9c13abcdabcbde0e879fcff5b650216e8649ebb

commit b9c13abcdabcbde0e879fcff5b650216e8649ebb
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2020-07-24 21:10:03 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-07-24 21:10:11 +0000

    net-misc/openssh-8.3_p1-r3: Add default-off USE flag for scp (bug #733802)
    
    Bug: https://bugs.gentoo.org/733802
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/metadata.xml             |   1 +
 net-misc/openssh/openssh-8.3_p1-r3.ebuild | 498 ++++++++++++++++++++++++++++++
 2 files changed, 499 insertions(+)
Comment 3 Kevin Korb 2020-07-26 00:41:45 UTC
I am a big fan of rsync so this doesn't bother me a bit but I thought I would point out another alternative (that I don't actually use)...

Putty's pscp command is command line compatible with scp but it uses (by default) sftp so it is immune from these problems.  It will use an authentication agent if you have one however it uses a different key file format and it will not use your ssh_config file settings if you have them.
Comment 4 Sergey 'L29Ah' Alirzaev 2020-07-27 07:17:47 UTC
Return scp plz. Not having scp installed does nothing to alleviate the vulnerability.
Comment 5 Larry the Git Cow gentoo-dev 2020-07-27 21:19:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0dc8c82d4cd5ad3976601916b0afe4f9427f513b

commit 0dc8c82d4cd5ad3976601916b0afe4f9427f513b
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2020-07-27 17:17:48 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-07-27 21:19:30 +0000

    net-misc/openssh-9.3_p1-r4: Default enable the scp USE flag (bug #733802)
    
    Bug: https://bugs.gentoo.org/733802
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/{openssh-8.3_p1-r3.ebuild => openssh-8.3_p1-r4.ebuild} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Hanno Böck gentoo-dev 2020-11-09 08:36:32 UTC
Some update here, it seems there is work happening on replacing the "scp" command with something that works like scp (i.e. mostly syntax-compatible), but uses the sftp protocol internally.

https://lwn.net/SubscriberLink/835962/ae41b27bc20699ad/
https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-June/038594.html
https://github.com/openssh/openssh-portable/pull/194

Discussion in the pull request sounds to me this will eventually end up in default openssh and hopefully resolve this for good.
Comment 7 Niklāvs Koļesņikovs 2022-02-28 09:33:58 UTC
It seems that OpenSSH 8.7_p1-r1 already includes support for the `-s` switch which would still have been disabled in that version, unless Gentoo patched the source to make it run. However I have verified that OpenSSH 8.8_p1-r4 does have it available.

Since `scp -s` now exists as an alternative that avoids the the legacy rcp protocol in favor of the sftp protocol, is there anything else needed before this CVE can be considered addressed?
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-28 15:08:13 UTC
(In reply to Niklāvs Koļesņikovs from comment #7)
> It seems that OpenSSH 8.7_p1-r1 already includes support for the `-s` switch
> which would still have been disabled in that version, unless Gentoo patched
> the source to make it run. However I have verified that OpenSSH 8.8_p1-r4
> does have it available.
> 
> Since `scp -s` now exists as an alternative that avoids the the legacy rcp
> protocol in favor of the sftp protocol, is there anything else needed before
> this CVE can be considered addressed?

Yes. It generally needs to be fixed rather than worked around.
Comment 9 Niklāvs Koļesņikovs 2022-02-28 15:33:44 UTC
Admittedly I only have a broad overview of this CVE but my understanding of the upstream position is that the the legacy scp is what it is and those who do not find CVE-2020-15778 and any issues like it an acceptable risk, should be using rsync, sftp or the new `scp -s` instead.

As such it might make sense to either patch OpenSSH to turn the sftp mode on by default or to mask the scp USE flag.
Comment 10 Mike Gilbert gentoo-dev 2022-02-28 17:10:51 UTC
I figure we will wait until upstream switches the default to SFTP, and then drop the "scp" USE flag.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-08 15:08:48 UTC
Seemingly fixed in 9.0:

Potentially-incompatible changes
--------------------------------

This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.

In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 20:29:06 UTC
GLSA request filed.
Comment 13 Larry the Git Cow gentoo-dev 2022-12-28 18:59:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4bba232aa0519e18c1541480c7f0b8dcb717ecb2

commit 4bba232aa0519e18c1541480c7f0b8dcb717ecb2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-28 18:57:54 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-28 18:59:24 +0000

    [ GLSA 202212-06 ] OpenSSH: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733802
    Bug: https://bugs.gentoo.org/815010
    Bug: https://bugs.gentoo.org/874876
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-06.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 14 Larry the Git Cow gentoo-dev 2022-12-28 20:44:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08f683984806bb85009e0e7ab23623600c8129e2

commit 08f683984806bb85009e0e7ab23623600c8129e2
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-12-28 20:43:45 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-28 20:43:58 +0000

    net-misc/openssh: drop 9.0_p1-r6, 9.1_p1
    
    Bug: https://bugs.gentoo.org/874876
    Bug: https://bugs.gentoo.org/733802
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/openssh/Manifest                 |   7 -
 net-misc/openssh/openssh-9.0_p1-r6.ebuild | 499 -----------------------------
 net-misc/openssh/openssh-9.1_p1.ebuild    | 514 ------------------------------
 3 files changed, 1020 deletions(-)
Comment 15 Larry the Git Cow gentoo-dev 2022-12-28 20:49:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eadbba1d383201b13a6392480682a029d5cd6632

commit eadbba1d383201b13a6392480682a029d5cd6632
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-12-28 20:47:37 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-28 20:47:37 +0000

    net-misc/openssh: drop 9.0_p1-r6
    
    Bug: https://bugs.gentoo.org/733802
    Bug: https://bugs.gentoo.org/874876
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/openssh/Manifest                 |   4 -
 net-misc/openssh/openssh-9.0_p1-r6.ebuild | 499 ------------------------------
 2 files changed, 503 deletions(-)
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-28 20:49:28 UTC
Cleanup done, all done.