New research has found a collection of vulnerabilities in different SCP clients, revealing that the secure copy protocol (SCP) might not be as secure as people think. An attacker can exploit the vulnerabilities to install a backdoor or other malware in a company network, steal confidential information, or commit virtually any other post-compromise action they want.
The research, conducted by F-Secure Senior Security Consultant Harry Sintonen, identified the vulnerabilities in WinSCP, Putty PSCP, and OpenSSH. Harry identified the vulnerabilities and created a proof-of-concept attack that he can use to stealthily write/overwrite files in the client SCP target directory, change the directory’s permissions, and spoof the client’s output.
The vulnerabilities aren’t the most severe issues facing IT admins (man-in-the-middle access needs to be established before the attack will work). But it does mean the “secure” part of SCP might be a little less reliable than companies might like. And Harry says this lack of awareness is what makes vulnerabilities like these useful to black hat hackers.
“Secure doesn’t mean invulnerable to exploitation. And SCP is no exception. Users need to manually verify the host identity the first time they connect, leaving room for user error. And vulnerabilities in SCP implementations make it easy for an attacker to overwrite files in the target directory,” explains Harry. “So if an attacker can get between the SCP client and server – or trick the client into connecting with a malicious server via phishing or DNS spoofing or something – its trivial for them to execute malicious commands without the client knowing it.”
SCP was created in the mid-nineties as a way to transfer files between devices and a network. It adds SSH to the remote copy protocol (also known as RCP, the protocol that SCP is based on). This additional layer of security makes SCP a more secure alternative to FTP and RCP.
That’s why it has “secure” in the name.
While the addition of SSH was an improvement, SCP didn’t address all of RCPs shortcomings. For example, RCP doesn’t warn users before overwriting files. SCP has the same issue.
Harry says the barriers to make the hack work are enough to prevent attackers from using these vulnerabilities in some sort of massive, opportunistic crime wave. But the attack capitalizes on the lack of understanding about SCP’s – and even SSH’s – level of security. So even though the attack won’t appeal to opportunistic cyber criminals, targeted attackers will find it effective against targets using SCP.
“The attack only works if the victim accepts the wrong fingerprints. So it’s important that companies know that this isn’t something SCP clients do automatically,” explains Harry. “It’s such an easy thing to take for granted that virtually nobody really checks this, so there will be attackers that can use this kind of tactic effectively.”
Harry presented his research and demoed his proof-of-concept (POC) attack at this year’s Disobey conference in Helsinki. Here’s the basic POC he showed the audience.
Is open source software secure enough for organizations?
Harry conducted the research out of professional interest in how attackers could compromise targets that rely on popular, open source components. Free and open source software is the backbone of many popular applications. Traditionally, developers rely on one another to validate open source code, which can be effective for code that’s popular.
But the practice is hardly bulletproof. The disclosure of the Heartbleed bug back in 2014 spurred the creation of the EU Commission’s Free and Open Source Software Audit (FOSSA). The project’s intent is to document and help secure pieces of open source software widely used in Europe. And in a recent move, FOSSA was expanded to offer bug bounties on 15 open source software projects.
Unfortunately, the bug bounties don’t include SCP and many other pieces of software. But Harry says there’s no reason to panic.
“Companies should be embracing OSS options, but not without doing some due diligence on their own. They can audit the source code, research whether the particular software has a history of critical vulnerabilities, and establish internal processes to make sure they’re being proactive in monitoring and dealing with the software’s security,” said Harry. “SCP has kind of fallen through the cracks, but that happens with OSS sometimes and companies can prepare themselves to deal with it.”
Besides raising awareness, Harry recommends that companies switch to using SFTP if they can. Patches are available for companies stuck with SCP, including an OpenSSH patch Harry developed.
More information on the patches and vulnerabilities is available in Harry’s advisory.