CVE-2020-15778

Vulnerability

CVE-2020-15778 is a command injection vulnerability in the scp utility of OpenSSH through version 8.3p1 [1]. The flaw resides in the toremote function in scp.c, where the destination argument is passed to a shell without proper sanitization. An attacker can inject arbitrary commands by including backtick characters (` ``) in the destination string. The vendor has stated that they intentionally omit validation of "anomalous argument transfers" to avoid breaking existing workflows [1].

Exploitation

Exploitation requires an attacker to supply a crafted destination argument to an scp command. This can occur when a user or script copies a file to a remote host using a destination string that includes backticks, e.g., scp file user@host:'malicious_command'. The backtick-enclosed command is executed on the remote system during the copy operation. No special privileges are needed beyond the ability to invoke scp with a controlled destination. The attack does not require authentication to the remote host beyond the normal SSH credentials.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the remote system with the privileges of the user running scp. This can lead to full compromise of the remote host, including data exfiltration, installation of malware, or lateral movement within a network. The impact is rated as Moderate by Red Hat [2].

Mitigation

Red Hat has released an update (RHSA-2024:3166) for Red Hat Enterprise Linux 8 that addresses this vulnerability [2]. Gentoo recommends upgrading to OpenSSH version 9.1_p1 or later [4]. The upstream OpenSSH project has deprecated the legacy SCP protocol in favor of SFTP; users are advised to migrate to sftp or rsync for file transfers [1]. As a workaround, avoid using scp with untrusted destination arguments and ensure that scripts do not pass user-controlled input to the destination parameter.