Support Content Notification - Support Portal

command injection in scp.c

Product/Component

Brocade Fabric OS

0 more products

Notification Id

22769

Last Updated

07 November 2023

Initial Publication Date

07 November 2023

Status

CLOSED

Severity

LOW

CVSS Base Score

7.8

WorkAround

Affected CVE

CVE-2020-15778

Brocade Security Advisory ID	BSA-2023-1095
Component	openSSH

Summary

The scp functionality in OpenSSH is vulnerable to command injection via backtick characters in the destination argument. The command will be run with the permissions of the user with which the files were copied on the remote server. To exploit this issue an attacker must manipulate a system administrator into running scp with a malicious command line parameter. In addition it may be exploited in cases where copying of files via scp is permitted but running remote commands or logging in via ssh is not.

The vendor has reportedly stated that they intentionally omit validation of "anomalous argument transfers" to avoid "breaking existing workflows."

Brocade Fabric OS v9.1.1 and later versions of Brocade Fabric OS provide an option to use scp via the Maintenance account, which provides an scp wrapper as a client. The scp functionality is limited to uploading files from the working directory only. These versions of Brocade Fabric OS are not affected due to the extensive parameter checking implemented within the Maintenance account. Native SCP can only be exercised under serviceshell (root level access).

Brocade Fabric OS versions prior to v9.1.1 allow for the use of a root account, and the scp command could be run from within this account.

Products Confirmed Not Affected

Brocade Fabric OS is not affected as native scp use requires root level access to exploit this vulnerability.

Brocade SANnav and ASCG products do not use scp and are not affected.

Workaround

There is no fix being provided by the vendor. Recommendation is to use sftp in place of scp whenever possible.

Note

While Brocade SANnav and ASCG doe not use scp, the vulnerable code is present in the underlying OS within the OVA applications of these products and could be used by a privileged user on the server where the SANnav or ASCG product is installed.

Revision History

Version	Change	Date
1.0	Initial Publication	November 7, 2023

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.