Saturday, January 16, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

SCP implementations impacted by 36-years-old security flaws

January 14, 2019
in Internet Security
SCP implementations impacted by 36-years-old security flaws
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

All SCP (Secure Copy Protocol) implementations from the last 36 years, since 1983, are vulnerable to four security bugs that allow a malicious SCP server to make unauthorized changes to a client’s (user’s) system and hide malicious operations in the terminal.

The vulnerabilities have been discovered by Harry Sintonen, a security researcher with Finnish cyber-security firm F-Secure, who’s been working since August last year to have them fixed and patched in the major apps that support the SCP protocol.

You might also like

Linux Mint fixes screensaver bypass discovered by two kids

AI set to replace humans in cybersecurity by 2030, says Trend Micro

Ransomware attacks now to blame for half of healthcare data breaches

For our readers that are not familiar with SCP, the protocol is a “secure” implementation of the RCP (Remote Copy Protocol) –a protocol for transferring files across a network.

SCP works on top of the SSH protocol and supports an authentication mechanism to provide authenticity and confidentiality for transferred files, just like SSH provides the same thing for the older and insecure Telnet protocol.

Since its first release back in 1983, SCP has been used as a standalone app under the same name but has also been embedded inside other apps. For example, SCP is the standard file transfer method for OpenSSH, Putty, and WinSCP.

Whenever users transfer files between a server and client (or vice versa) via these apps, those transfer are, unbeknownst to the user, transferred via the SCP protocol –unless users have chosen to use the SFTP protocol as the default mode for data transfers.

In a security advisory published on his personal website last week, Sintonen revealed the existence of four major security bugs affecting SCP implementations:

  1. CVE-2018-20685 – An SCP client app allows a remote SCP server to modify permissions of the target directory.
  2. CVE-2019-6111 – A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).
  3. CVE-2019-6109 – The terminal client output can be manipulated via ANSI code to hide subsequent operations.
  4. CVE-2019-6110 – Similar as above.

The issues have their roots in the original BSD implementation of the RCP protocol, meaning all SCP implementations in the past 36 years are affected, although, to a different degree.

SCP implementation

Version

#1

#2

#3

#4

OpenSSH SCP

<=7.9

x

x

x

x

PuTTY PSCP

?

–

–

x

x

WinSCP SCP mode

<=5.13

–

x

–

–

Sintonen recommends applying any available patches for the listed clients. At the time of writing, only the WinSCP team has addressed the reported issues, with the release of WinSCP 5.14.

If patching is not an option or out of the user’s control, users are advised to configure SCP clients to request files via SFTP (Secure FTP) if possible.

It should be noted that any attacks that may try to exploit these vulnerabilities rely on a malicious party taking over an SCP server, or being in a Man-in-the-Middle position, although the MitM attack might be easier to spot as it requires the victim to accept the wrong host fingerprint.

Users who believe they might be impacted can keep an eye on Sirtonen’s security advisory for updated information for upcoming patches to other SCP clients, after this article’s publication date. We’ll do our best to keep this article up to date.

More cybersecurity news:

Credit: Source link

Previous Post

nThrive Announces Machine Learning Technology Offering

Next Post

IBM Connections Customizer Tutorial, Part 2

Related Posts

Linux Mint fixes screensaver bypass discovered by two kids
Internet Security

Linux Mint fixes screensaver bypass discovered by two kids

January 16, 2021
AI set to replace humans in cybersecurity by 2030, says Trend Micro
Internet Security

AI set to replace humans in cybersecurity by 2030, says Trend Micro

January 16, 2021
This new ransomware is growing in strength and could become a major threat warn researchers
Internet Security

Ransomware attacks now to blame for half of healthcare data breaches

January 15, 2021
Toyota slapped with $180 million fine for violating Clean Air Act
Internet Security

Toyota slapped with $180 million fine for violating Clean Air Act

January 15, 2021
More than 10mil users installed Android apps that showed out-of-context ads
Internet Security

More than 10mil users installed Android apps that showed out-of-context ads

January 15, 2021
Next Post

IBM Connections Customizer Tutorial, Part 2

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Linux Mint fixes screensaver bypass discovered by two kids
Internet Security

Linux Mint fixes screensaver bypass discovered by two kids

January 16, 2021
Readers’ Writes: Machine Learning | Readers Writes
Machine Learning

Readers’ Writes: Machine Learning | Readers Writes

January 16, 2021
AI set to replace humans in cybersecurity by 2030, says Trend Micro
Internet Security

AI set to replace humans in cybersecurity by 2030, says Trend Micro

January 16, 2021
Facebook builds A.I. to predict likelihood of worsening Covid symptoms
Machine Learning

Facebook builds A.I. to predict likelihood of worsening Covid symptoms

January 16, 2021
What Can You Do With Python in 2021? (Python Real Life Applications) | by Doga Ozgon | Dec, 2020
Neural Networks

What Can You Do With Python in 2021? (Python Real Life Applications) | by Doga Ozgon | Dec, 2020

January 16, 2021
ON24 files for an IPO
Digital Marketing

ON24 files for an IPO

January 16, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Linux Mint fixes screensaver bypass discovered by two kids January 16, 2021
  • Readers’ Writes: Machine Learning | Readers Writes January 16, 2021
  • AI set to replace humans in cybersecurity by 2030, says Trend Micro January 16, 2021
  • Facebook builds A.I. to predict likelihood of worsening Covid symptoms January 16, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates