Security

Mitigation Instructions for CVE-2020-15778

Written by CyRisk Vulnerability Management Team | May 15, 2023 6:52:29 PM

SUBJECT: CVE-2020-15778 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

TECH STACK: OpenSSH 

DATE(S) ISSUED: 07/24/2020

NVD Last Modified: 02/24/2023

CRITICALITY: HIGH

OVERVIEW:

CVE-2020-15778 is a vulnerability that affects the scp (Secure Copy Protocol) command in OpenSSH versions up to 8.3p1. It allows for command injection in the toremote function in scp.c. This is achieved by using backtick characters ( `) in the destination argument.

This could potentially allow an attacker to execute arbitrary commands on the remote server, which could lead to unauthorized access, data or other unwanted impacts.

The vulnerability was reported as disputed because the vendor (OpenSSH) has stated that they intentionally do not validate certain "anomalous argument transfers", since doing so could break existing workflows. In other words, the design decision to allow for certain types of flexible input could potentially lead to security issues like this one, but changing this behavior could disrupt functionality for some users.

SOLUTION:

OpenSSH has not released a patch to address this issue directly as of this artical. This is because the vendor (OpenSSH) considers it as a part of the scp tool's original design, which does not provide strong security controls.

However, several mitigation measures can be taken:

  1. Avoid Untrusted Inputs: Do not use scp with untrusted inputs or in untrusted environments. This is a good general security practice, but is particularly important for mitigating this issue.

  2. Use sftp instead of scp: The sftp command is a more secure alternative to scp which does not have this vulnerability. It is often a drop-in replacement for scp in most workflows.

  3. Use rsync over SSH: Another alternative is to use rsync over SSH. rsync is a file copying tool that uses a different protocol and is not vulnerable to this issue.

  4. Use OpenSSH's own scp replacement: OpenSSH has developed an in-house scp replacement called scp2 that is designed to be more secure. It's still in development and may not be fully compatible with all scp use cases.

Remember to stay up-to-date on the latest patches and updates from the OpenSSH team, and consider switching to a more secure tool if scp does not meet your security needs.

REFERENCES:

Third Party Advisories:

  1. GitHub Exploit by cpandya2909
  2. YCombinator Discussion
  3. Gentoo Security Advisory (GLSA-202212-06)
  4. NetApp Security Advisory (ntap-20200731-0007)

Confirmation & Additional Information:

  1. OpenSSH Security Advisory

Cross-References:

  1. Confirmation from NetApp
  2. Confirmation from Gentoo
  3. Additional Information from GitHub
  4. Additional Information from YCombinator
  5. Additional Information from OpenSSH