Decades-Old Flaws Leave SCP Clients Vulnerable To Attack

Security flaws dating back 36 years, to 1983, have been found to affect past and current versions of Secure Copy Protocol (SCP) implementations, a secure file-transfer protocol used in popular tools such as OpenSSH, PuTTy and WinSCP.

The bugs could allow a malicious SCP server to make unauthorised changes to files on a client’s system and to hide malicious operations, said researcher Harry Sintonen of F-Secure.

Sintonen said he has been working with vendors to patch the issues since last August, but at present they have only been addressed in WinSCP, which addresses them in release 5.14, issued in October 2018.

SCP is a secure version of the Remote Copy Protocol (RCP), and the issues arise from RCP, Sintonen said.

Decades-old flaws

He said one of the issues is caused by SCP clients failing to verify whether the objects sent by the SCP server are identical to those that were asked for, meaning that altered documents can be sent.

“This issue dates back to 1983 and RCP, on which SCP is based,” Sintonen said in an advisory.

A separate issue in SCP clients allows target directory attributes to be changed arbitrarily, while two further client bugs allow servers to spoof client output, Sintonen said.

Because the bugs could allow a malicious server to overwrite arbitrary files on a client’s system, including critical system files, they can effectively be used to execute malicious code on that system, Sintonen said.

He noted that the attacks rely on the client connecting to a malicious server, which could, for instance, be a legitimate server that has been taken over by attackers.

Sintonen advised users to switch to patched clients if possible, or, if not, to use alternative protocols such as SFTP.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Delays Staff Mandate For Three Days A Week In Office – Report

Tech giant blames rising Covid cases as it again pushes back return to office deadline,…

44 mins ago

Tesla Bluetooth Locks Can Be Hacked, Warns NCC Group

Digital locks, including those fitted to Tesla vehicles, are vulnerable to being unlocked via an…

3 hours ago

Twitter Board To ‘Enforce’ Elon Musk Merger Agreement

Legal action ahead? Elon Musk's takeover agreement of Twitter will be enforced says board of…

4 hours ago

Silicon UK In Focus Podcast: Is Your Business Ready for Frontend-as-a-Service?

How could FaaS revolutionise E-commerce? And how can businesses embrace this technology to connect with…

5 hours ago

Uber Eats Offers Two Robo-Delivery Services In California

Uber Eats offers food delivery using Motional autonomous cars in Santa Monica and sidewalk robot…

1 day ago

Russia ‘Not Planning To Block YouTube’ Says Minister

Digital minister says Russia not planning to block YouTube in the country as Russian users…

1 day ago