This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
  • RSA.com
  • Home
  • Advisories
    • SecurID
    • SecurID Governance & Lifecycle
  • Documentation
    • SecurID
      • Authentication Agents
        • API / SDK
        • Apache Web Server
        • Citrix StoreFront
        • IIS Web Server
        • MFA Agent for macOS
        • MFA Agent for Windows
        • Microsoft AD FS
        • Microsoft Windows
        • PAM
      • Authentication Engine
      • Authentication Manager
      • Cloud Authentication Service
      • Hardware Appliance
        Component Updates
      • Hardware Tokens
      • Integrations
      • SecurID App
      • SecurID Authenticator for macOS
      • SecurID SDK
      • Software Tokens
        • Android
        • iOS
        • macOS
        • Token Converter
        • Windows
    • SecurID Governance & Lifecycle
    • Technology Partners
  • Downloads
    • SecurID
      • Authentication Agents
        • API / SDK
        • Apache Web Server
        • Citrix StoreFront
        • IIS Web Server
        • MFA Agent for macOS
        • MFA Agent for Windows
        • Microsoft AD FS
        • Microsoft Windows
        • PAM
      • Authentication Engine
      • Authentication Manager
      • Cloud Authentication Service
      • Hardware Appliance
        Component Updates
      • Hardware Tokens
      • Integrations
      • SecurID Authenticator for macOS
      • Software Tokens
        • Android
        • iOS
        • macOS
        • Token Converter
        • Windows
    • SecurID Governance & Lifecycle
  • Community
    • SecurID
      • Blog
      • Discussions
      • Events
      • Idea Exchange
      • Knowledge Base
    • SecurID Governance & Lifecycle
      • Blog
      • Discussions
      • Events
      • Idea Exchange
      • Knowledge Base
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Ideas & Suggestions
      • Community Support Articles
      • Community Support Forum
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Education
    • Blog
    • Browse Courses
      • SecurID
      • SecurID Governance & Lifecycle
    • Certification Program
    • New Product Readiness
    • Student Resources
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
  • SecurID Community
  • :
  • Products
  • :
  • SecurID
  • :
  • Knowledge Base
  • :
  • RSA response to CVE-2020-15778 vulnerability with scp Command Injection in OpenSSH
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Email to a Friend
    • Printer Friendly Page
    • Report Inappropriate Content

RSA response to CVE-2020-15778 vulnerability with scp Command Injection in OpenSSH

Article Number

000039893

Applies To

RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6.0, 8.5.x, 8.4, all 8.x
Platform: All
O/S Version: ESXi 5.0, Suse Linux 12.3, 12.x, 11.x
Product Name: Authentication Manager
Product Description: Appliance

Issue

Qualys is showing the following  S3 - OpenSSH Command Injection Vulnerability (Generic) 
First Detected: 11/09/2020 at 22:58:02 (GMT-0500)
Last Detected: 10/04/2021 at 21:41:25 (GMT-0500)
Times Detected: 53 Last Fixed: N/A QID: 105936
Category: Security Policy
CVE ID: CVE-2020-15778 Vendor Reference OpenSSH Bugtraq ID:
CVSS Base: 6.8 CVSS Temporal: 6.1 CVSS3 Base: 7.8 CVSS3 Temporal: 7.0

Note: Affected version checked till 8.6p1 as per PoC.
IMPACT: Successful exploitation could disclose sensitive information.  
SOLUTION: No solution available from Linux vendors yet.
Workaround: As per upstream, because of the way scp is based on a historical protocol called rcp which relies on that style of argument passing and therefore encounters expansion problems. Making changes to how the scp command line works breaks the pattern used by scp consumers. Upstream, therefore, recommends the use of rsync in the place of scp for better security. More details about supported alternatives available at Red Hat guide.
COMPLIANCE: Not Applicable
EXPLOITABILITY:     Qualys Reference: CVE-2020-15778 Description: Github Link: https://github.com/cpandya2909/CVE-2020-15778/ ASSOCIATED MALWARE: There is no malware information for this vulnerability.
RESULTS: Vulnerable version of OpenSSH Detected: OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016

Cause

THREAT: OpenSSH is the premier connectivity tool for remote login with the SSH protocol. scp in OpenSSH through 8.6p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. Affected Versions: 8.6p1 and prior versions of OpenSSH QID Detection Logic: The QID checks for the vulnerable versions of OpenSSH and checks the presence of scp command by executing 'which scp'

CVE ID: CVE-2020-15778 aka Qualys QID: 105936 vulnerability, according to NIST.
** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Published: July 24, 2020; 10:15:12 AM -0400
https://nvd.nist.gov/vuln/search/results?cves=on&cpe_version=cpe:/a:openbsd:openssh:6.6.1p1
 

Resolution

Response from the OpenSSH group:
 The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.

RSA Response
This is again NOT associated with the SSH server running on AM appliances, but rather the client scp secure copy command which would be run by the appliance administrator from the command line.
This is a client bug, which you would have to invoke manually at the Linux command line running the scp client available from OpenSSH.  It does not really affect AM for 2 reasons;
  1. A user has to login/SSH to Linux as unprivileged, and use scp to elevate their privilege or urn privileged commands.  No one logs into AM Linux except with the full privilege of rsaadmin.
  2. SSH and console access to Linux is strictly controlled in the AM appliance.
  3. There is no AM application that uses the scp command, a user would have to run it themself and inject something to elevate their privileges, which any user accessing AM Linux would already have.
 
OpenSSH is not going to fix this because of this limited exposure and fixing it could break some legitimate uses of scp.  See workaround for a way to pass the Qualys scan.

Workaround

OpenSSH is not going to fix this because of this limited exposure and fixing it could break some legitimate uses of scp. Qualys scan uses the ‘which’ command to find scp, so renaming /usr/bin/scp in AM Appliance Suse Linux will cause Qualys to not find this issue.

Image descriptionImage description

Notes

Background
CVE ID: CVE-2020-15778 aka Qualys QID: 105936 vulnerability, according to NIST.
** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Published: July 24, 2020; 10:15:12 AM -0400
https://nvd.nist.gov/vuln/search/results?cves=on&cpe_version=cpe:/a:openbsd:openssh:6.6.1p1

 
Tags (29)
  • 8.x
  • AM
  • Auth Manager
  • Authentication Manager
  • Customer Support Article
  • CVE
  • KB Article
  • Knowledge Article
  • Knowledge Base
  • RSA AM
  • RSA Auth Manager
  • RSA Authentication Manager
  • RSA SecurID
  • RSA SecurID Access
  • RSA SecurID Suite
  • SecurID
  • SecurID Access
  • SecurID Suite
  • Security Advisory
  • Security Alert
  • Security Notification
  • Security Recommendations
  • Security Warning
  • Version 8
  • Version 8.x
  • Vuln
  • Vulnerabilities
  • Vulnerability
  • Vulnerability Warning
0 Likes
Was this article helpful? Yes No
Share
No ratings

In this article

Version history
Last update:
‎2021-10-10 06:30 PM
Updated by:
Administrator RSA-KB-Sync Administrator

Related Content

Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • Customer Success
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.