CVE-2018-20685
Description
OpenSSH scp client in version 7.9 allows a malicious server to modify target directory permissions by sending an empty or dot filename.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSSH scp client in version 7.9 allows a malicious server to modify target directory permissions by sending an empty or dot filename.
Vulnerability
In OpenSSH 7.9, the scp client (scp.c) fails to properly validate directory names received from the remote server. Specifically, the sink() function does not reject empty filenames ("") or a single dot (".") as directory names. When the server sends a directory transfer command with an empty or dot name, the client applies the specified permissions (e.g., D0777 0 \n) to the target directory on the client side. This affects OpenSSH versions up to and including 7.9; the issue was introduced in the original rcp-based implementation. [2][4]
Exploitation
An attacker controlling an SSH server (or performing a Man-in-the-Middle attack with accepted fingerprint) can send a crafted SCP protocol response. When the victim uses scp to copy files from the malicious server, the server sends a directory directive with an empty or dot filename. The client, without proper validation, applies the permissions from that directive to the target directory (e.g., the current directory). No additional authentication or user interaction beyond the initial scp command is required. [2]
Impact
Successful exploitation allows the attacker to arbitrarily change the permissions of the target directory on the client side. This could lead to privilege escalation or unauthorized access if the directory permissions are weakened (e.g., made world-writable). The vulnerability does not directly allow file content modification or remote code execution, but combined with other flaws (like CVE-2019-6111) it can be part of a larger attack chain. [2][3]
Mitigation
The fix was committed to OpenSSH portable on 2018-11-16 (commit 6010c0303a422a9c5fa8860c061bf7105eb7f8b2) and released in OpenSSH 8.0. Red Hat Enterprise Linux 8 shipped openssh-8.0p1-3.el8 [1]. Ubuntu released updates in USN-3885-1 on 2019-02-07 [3]. Users should upgrade to OpenSSH 8.0 or later. As a workaround, avoid using scp with untrusted servers; use sftp or rsync instead. [2][4]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- Range: =7.9
- osv-coords37 versionspkg:rpm/opensuse/openssh&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/openssh&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssh-askpass-gnome&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/openssh&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/openssh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssh&distro=SUSE%20OpenStack%20Cloud%207
< 7.6p1-lp150.8.9.1+ 36 more
- (no CPE)range: < 7.6p1-lp150.8.9.1
- (no CPE)range: < 8.4p1-7.4
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 7.6p1-9.13.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 6.6p1-36.12.1
- (no CPE)range: < 6.6p1-54.26.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
- (no CPE)range: < 7.2p2-74.35.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of directory name in scp client allows server to set permissions of the target directory via empty or dot directory name."
Attack vector
An attacker-controlled SCP server sends a directory name of "." or an empty string (e.g., "D0777 0 .\n" or "D0777 0 \n") to the client [ref_id=1]. The scp client in OpenSSH 7.9 accepts these names without verifying they match the requested target directory, and applies the permissions specified in the directory command to the client-side target directory [ref_id=1]. The attacker needs only to control the SSH server (or perform a MitM attack with the victim accepting the wrong host fingerprint) and have the victim run scp to retrieve a file [ref_id=1].
Affected code
The vulnerability exists in scp.c in OpenSSH versions up to and including 7.9 [ref_id=1]. The advisory does not specify the exact function or line number, but the flaw is in the client-side code that processes directory commands (the "D" command) received from the server without validating the directory name [ref_id=1].
What the fix does
The advisory recommends applying the patch at commit 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 to fix this vulnerability [ref_id=1]. No patch diff is included in the bundle, but the fix is described as adding proper validation of the directory name received from the server to reject empty or dot directory names that would allow unauthorized permission changes [ref_id=1]. The advisory also suggests switching to sftp as a general mitigation [ref_id=1].
Preconditions
- networkAttacker must control the SSH server the victim connects to, or perform a Man-in-the-Middle attack (victim must accept the wrong host fingerprint).
- inputVictim must run scp to retrieve a file from the attacker-controlled server.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- access.redhat.com/errata/RHSA-2019:3702mitrevendor-advisory
- security.gentoo.org/glsa/201903-16mitrevendor-advisory
- security.gentoo.org/glsa/202007-53mitrevendor-advisory
- usn.ubuntu.com/3885-1/mitrevendor-advisory
- www.debian.org/security/2019/dsa-4387mitrevendor-advisory
- www.securityfocus.com/bid/106531mitrevdb-entry
- lists.debian.org/debian-lts-announce/2019/03/msg00030.htmlmitremailing-list
- cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfmitre
- cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diffmitre
- github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2mitre
- security.netapp.com/advisory/ntap-20190215-0001/mitre
- sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtmitre
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlmitre
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlmitre
News mentions
0No linked articles in our index yet.