Numerous IT media outlets, including The Register and Hacker News, reported earlier this week that serious vulnerabilities impacting several SCP (Secure Copy Protocol) clients have been discovered by a Finnish IT security researcher Harry Sintonen.
What’s the fuss about?
In essence, the vulnerabilities are caused by a design oversight in the susceptible SCP clients using RCP style transfer over SSH that allows a malicious server during download to covertly tamper with unexpected files on the client computer. The original advisory describing the vulnerabilities in detail and their CVE IDs can be found at https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt.
The vulnerabilities do not affect SSH.COM Tectia products
The vulnerabilities reportedly affect certain versions of OpenSSH's scp, PuTTY's PSCP, and WinSCP products (see the advisory referenced above for the exact versions).
The advisory by Mr. Sintonen states that SSH Tectia products are not affected. After studying the issue further, SSH.COM confirms this assessment. SSH Tectia products use the secure scpg3 client that exclusively uses SFTP protocol that does not have these vulnerabilities. This applies to all Tectia products, including Tectia SSH Client/Server and Tectia SSH z/OS. Also, the predecessor SSH Secure Shell with its scp2 client uses exclusively SFTP and is not vulnerable.
Now that we have that out of the way, we can delve a bit deeper into what these vulnerabilities could mean and how to avoid all the nastiness.
How can the SCP vulnerabilities could be exploited?
The research highlights how these vulnerabilities could be exploited so that compromised servers could overwrite files on a computer connected via SCP, including SSH key authorization files and critical data.
What’s worse, the vulnerabilities potentially expose the victim to man-in-the-middle attacks and allow malicious modifications on the machine with a vulnerability, making it straightforward to expand the attacker’s lateral movement to all machines connecting via SCP to that server.
This offers an interesting (or frightening, depending on your point of view) attack vector compared to conventional attacks on servers. Here we see the potential for a hacker to insert a backdoor or man-in-the-middle component. Consequences could be particularly severe in environments where there are many clients performing SCP operations, especially automated file transfers that have been setup and forgotten. From one compromised server, a hacker could easily add their own keys and get access to all the clients performing file transfers.
Remediating actions for the SCP vulnerabilities
As highlighted in the research, OpenSSH SCP users should consider switching to SFTP if possible. If you need an enterprise-class SFTP for mission-critical file transfers with global 24/7 enterprise support, you might want to take a look at our Tectia SSH products. They feature the fastest SFTP performance and are backed by the world’s foremost experts in Secure Shell technologies (i.e. SSH.COM).
Most companies have SSH enabled in the ‘plumbing’. It is recommended to employ SSH hardening best practices, like configuring ‘SSH Lockdown’ on all machines running SSH servers and operating file transfers with the least privileges possible also on the client-side. Vulnerabilities such as this also highlight how user-controlled, unmanaged SSH key authorization files are attractive targets for hackers.
What does this mean for the enterprise?
Open source software is essential for modern software development – no debate there. Enterprises move towards DevOps-type application development, where individual engineers have the freedom to build their own stack. The challenge is how to measure the risk of the flourishing use of disparate software building blocks in tiny pockets of the company. The enterprise must choose wisely, when to give more freedom, when open source tooling provides the best risk balance, and when to use enterprise-class solutions.
The role of SSH clients and servers in secure file transfer, automated data flow and remote access often goes unnoticed. The SSH (Secure Shell) protocol is also ubiquitous in the plumbing of all major enterprises and agencies. Lack of Secure Shell governance, missing SSH policies and unhardened SSH infrastructure in the enterprise breeds compound risk. Operational processes, outsource management, mass data usage, business continuity, cloudification, digitalization, IT governance – that's 7 of KPMG's key internal audit risks heading to 2020 – are all directly affected by how the enterprise balances risk around secure access and data flow enabled by Secure Shell.
Do you need help?
Chances are that automated secure shell connections are more widely used in your environment than you know. Our Universal SSH Key Manager® gives you the visibility in large environments and efficiently flags changes in authorized SSH keys and SSH configurations, catching anyone trying to make changes outside of the approved policies.
We also offer a free SSH Key Risk Assessment service for qualified companies that lets you know the state of your SSH estate and gives you actionable suggestions if there are issues that need to be addressed. Those suggestions go beyond mere sales pitch for our SSH UKM, the process-driven SSH key management solution.
Markku Rossi
Markku Rossi is CTO and responsible for R&D at SSH.COM. Markku was with SSH from 1998-2005 as a Chief Engineer and was a major contributor to the SSH software architecture. Prior to rejoining the company in 2015, he co-founded several companies such as Codento and ShopAdvisor, and served as CTO at Navicore and as...