SCP support in RHEL
What is SCP
OpenSSH’s SCP (secure copy, remote file copy program) is a program based on the insecure RCP (remote copy) command-line API. It mimics its semantics and follows a similar logic as the cp
command for local copy. The RCP protocol was designed in the 80s without security in mind and SCP even now does not provide enough input validation to be completely secure. The protocol is very flexible and some use cases depend on obscure shell expansions, quoting and quotes dropping, making its maintenance and future development very hard.
Vulnerabilities summary
In recent years, we fixed several vulnerabilities such as CVE-2018-2068 or CVE-2019-6111. These allowed a malicious server to modify the files on the client file system, but fixes for them, adding file-name validation, already broke some existing use cases. There is a newer CVE-2020-15778 without a released fix, causing possible command execution on a remote server by appending it to an scp command and we can expect more to come. Note that this is not a privilege escalation as scp
requires remote command execution by design.
The patches for these vulnerabilities are usually breaking existing corner cases used for decades and therefore there is a very low chance of fixing them in existing RHEL releases where we retain backward compatibility.
Supported alternatives
In this regard, we cannot recommend using SCP anymore for our customers in new applications or scripts as a program to copy files remotely. Customers should consider using the SFTP protocol instead (implemented in the sftp
binary or through the libssh library), which is well defined, does proper input checking and can grant more fine-grained permissions. The other possibility is using rsync
with SSH transport for its simpler command-line API.
We are considering various options in addressing the SCP vulnerabilities problem in future RHEL releases.
Comments