CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Upstream's reply from $URL: The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9c13abcdabcbde0e879fcff5b650216e8649ebb commit b9c13abcdabcbde0e879fcff5b650216e8649ebb Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2020-07-24 21:10:03 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-07-24 21:10:11 +0000 net-misc/openssh-8.3_p1-r3: Add default-off USE flag for scp (bug #733802) Bug: https://bugs.gentoo.org/733802 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> net-misc/openssh/metadata.xml | 1 + net-misc/openssh/openssh-8.3_p1-r3.ebuild | 498 ++++++++++++++++++++++++++++++ 2 files changed, 499 insertions(+)
I am a big fan of rsync so this doesn't bother me a bit but I thought I would point out another alternative (that I don't actually use)... Putty's pscp command is command line compatible with scp but it uses (by default) sftp so it is immune from these problems. It will use an authentication agent if you have one however it uses a different key file format and it will not use your ssh_config file settings if you have them.
Return scp plz. Not having scp installed does nothing to alleviate the vulnerability.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0dc8c82d4cd5ad3976601916b0afe4f9427f513b commit 0dc8c82d4cd5ad3976601916b0afe4f9427f513b Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2020-07-27 17:17:48 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-07-27 21:19:30 +0000 net-misc/openssh-9.3_p1-r4: Default enable the scp USE flag (bug #733802) Bug: https://bugs.gentoo.org/733802 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> net-misc/openssh/{openssh-8.3_p1-r3.ebuild => openssh-8.3_p1-r4.ebuild} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Some update here, it seems there is work happening on replacing the "scp" command with something that works like scp (i.e. mostly syntax-compatible), but uses the sftp protocol internally. https://lwn.net/SubscriberLink/835962/ae41b27bc20699ad/ https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-June/038594.html https://github.com/openssh/openssh-portable/pull/194 Discussion in the pull request sounds to me this will eventually end up in default openssh and hopefully resolve this for good.
It seems that OpenSSH 8.7_p1-r1 already includes support for the `-s` switch which would still have been disabled in that version, unless Gentoo patched the source to make it run. However I have verified that OpenSSH 8.8_p1-r4 does have it available. Since `scp -s` now exists as an alternative that avoids the the legacy rcp protocol in favor of the sftp protocol, is there anything else needed before this CVE can be considered addressed?
(In reply to Niklāvs Koļesņikovs from comment #7) > It seems that OpenSSH 8.7_p1-r1 already includes support for the `-s` switch > which would still have been disabled in that version, unless Gentoo patched > the source to make it run. However I have verified that OpenSSH 8.8_p1-r4 > does have it available. > > Since `scp -s` now exists as an alternative that avoids the the legacy rcp > protocol in favor of the sftp protocol, is there anything else needed before > this CVE can be considered addressed? Yes. It generally needs to be fixed rather than worked around.
Admittedly I only have a broad overview of this CVE but my understanding of the upstream position is that the the legacy scp is what it is and those who do not find CVE-2020-15778 and any issues like it an acceptable risk, should be using rsync, sftp or the new `scp -s` instead. As such it might make sense to either patch OpenSSH to turn the sftp mode on by default or to mask the scp USE flag.
I figure we will wait until upstream switches the default to SFTP, and then drop the "scp" USE flag.
Seemingly fixed in 9.0: Potentially-incompatible changes -------------------------------- This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag.
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4bba232aa0519e18c1541480c7f0b8dcb717ecb2 commit 4bba232aa0519e18c1541480c7f0b8dcb717ecb2 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-12-28 18:57:54 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-28 18:59:24 +0000 [ GLSA 202212-06 ] OpenSSH: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/733802 Bug: https://bugs.gentoo.org/815010 Bug: https://bugs.gentoo.org/874876 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202212-06.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08f683984806bb85009e0e7ab23623600c8129e2 commit 08f683984806bb85009e0e7ab23623600c8129e2 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-12-28 20:43:45 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-28 20:43:58 +0000 net-misc/openssh: drop 9.0_p1-r6, 9.1_p1 Bug: https://bugs.gentoo.org/874876 Bug: https://bugs.gentoo.org/733802 Signed-off-by: John Helmert III <ajak@gentoo.org> net-misc/openssh/Manifest | 7 - net-misc/openssh/openssh-9.0_p1-r6.ebuild | 499 ----------------------------- net-misc/openssh/openssh-9.1_p1.ebuild | 514 ------------------------------ 3 files changed, 1020 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eadbba1d383201b13a6392480682a029d5cd6632 commit eadbba1d383201b13a6392480682a029d5cd6632 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-12-28 20:47:37 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-28 20:47:37 +0000 net-misc/openssh: drop 9.0_p1-r6 Bug: https://bugs.gentoo.org/733802 Bug: https://bugs.gentoo.org/874876 Signed-off-by: John Helmert III <ajak@gentoo.org> net-misc/openssh/Manifest | 4 - net-misc/openssh/openssh-9.0_p1-r6.ebuild | 499 ------------------------------ 2 files changed, 503 deletions(-)
Cleanup done, all done.