CVE-2020-15778: OpenSSh Remote Comand Injection Vulnerability Alert

Security researcher, Chinmay Pandya discovered a command injection vulnerability (CVE-2020-15778) in the scp component of openssh. The scp in OpenSSH 8.3p1 allows commands to be injected into the remote function of scp.c, and attackers can use this vulnerability to execute arbitrary commands. Most Linux systems are currently affected. Researchers confirmed that the PoC currently public on the Internet has the ability to exploit this vulnerability.

OpenSSH is an open-source implementation for remote login using the SSH protocol. SSH prevents eavesdropping, connection hijacking, and other attacks by encrypting the interactive traffic. OpenSSH is developed by some developers of the OpenBSD project and is provided under a BSD-style license, and has been integrated into many commercial products.

scp is a program for copying files between computers. It uses the SSH protocol. It is included by default in most Linux and Unix distributions. In the Linux system, scp is used to copy files and directories between Linux, based on ssh login for secure remote file copy commands. This command is implemented by openssh scp.c and other related codes.

When copying files to a remote host, the file path will be appended to the local scp command. When the local scp command is executed, scp will not check, filter, and clear the file name. This allows the attacker to execute a valid scp command with backticks, the local shell will also execute the commands in the backticks.

Affected version

• Openssh <=8.3p1
  

The patch for this vulnerability is not available.