SUBJECT: CVE-2020-15778 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TECH STACK: OpenSSH
DATE(S) ISSUED: 07/24/2020
NVD Last Modified: 02/24/2023
CRITICALITY: HIGH
OVERVIEW:
CVE-2020-15778 is a vulnerability that affects the scp (Secure Copy Protocol) command in OpenSSH versions up to 8.3p1. It allows for command injection in the toremote function in scp.c. This is achieved by using backtick characters ( `) in the destination argument.
This could potentially allow an attacker to execute arbitrary commands on the remote server, which could lead to unauthorized access, data or other unwanted impacts.
The vulnerability was reported as disputed because the vendor (OpenSSH) has stated that they intentionally do not validate certain "anomalous argument transfers", since doing so could break existing workflows. In other words, the design decision to allow for certain types of flexible input could potentially lead to security issues like this one, but changing this behavior could disrupt functionality for some users.
SOLUTION:
OpenSSH has not released a patch to address this issue directly as of this artical. This is because the vendor (OpenSSH) considers it as a part of the scp tool's original design, which does not provide strong security controls.
However, several mitigation measures can be taken:
Avoid Untrusted Inputs: Do not use scp
with untrusted inputs or in untrusted environments. This is a good general security practice, but is particularly important for mitigating this issue.
Use sftp instead of scp: The sftp
command is a more secure alternative to scp
which does not have this vulnerability. It is often a drop-in replacement for scp
in most workflows.
Use rsync over SSH: Another alternative is to use rsync
over SSH. rsync
is a file copying tool that uses a different protocol and is not vulnerable to this issue.
Use OpenSSH's own scp replacement: OpenSSH has developed an in-house scp replacement called scp2
that is designed to be more secure. It's still in development and may not be fully compatible with all scp
use cases.
Remember to stay up-to-date on the latest patches and updates from the OpenSSH team, and consider switching to a more secure tool if scp
does not meet your security needs.
REFERENCES:
Third Party Advisories:
Confirmation & Additional Information:
Cross-References: