scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - openssh: scp allows command injection when using backtick characters in the destination argument     (CVE-2020-15778)

  - Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to     detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We     understand that the OpenSSH developers do not want to treat such a username enumeration (or oracle) as a     vulnerability.' (CVE-2018-15919)

  - In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions     via the filename of . or an empty filename. The impact is modifying the permissions of the target     directory on the client side. (CVE-2018-20685)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-3166 advisory.

    - Providing a kill switch for scp to deal with CVE-2020-15778       Resolves: RHEL-22870

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:3166 advisory.

    OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating     systems. It includes the core files necessary for both the OpenSSH client and server.

    Security Fix(es):

    * openssh: scp allows command injection when using backtick characters in the destination argument     (CVE-2020-15778)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.10 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2024:3166 advisory.

  - scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by     backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they     intentionally omit validation of anomalous argument transfers because that could stand a great chance     of breaking existing workflows. (CVE-2020-15778)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K04305530 advisory.

    scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by     backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they     intentionally omit validation of anomalous argument transfers because that could stand a great chance     of breaking existing workflows.(CVE-2020-15778)ImpactThis flaw is found in the SCP program shipped with     theopenssh-clientspackage. An attacker having the ability to SCP files to a remote server could run     arbitrary commands on the remote server by including a command as a part of the filename being copied on     the server. This command runs with the user permissions used to copy the files on the remote server. The     most serious threats from this vulnerability are to data confidentiality and integrity, as well as to     system availability.

Tenable has extracted the preceding description block directly from the F5 Networks BIG-IP security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202212-06 (OpenSSH: Multiple Vulnerabilities)

  - ** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as     demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated     that they intentionally omit validation of anomalous argument transfers because that could stand a     great chance of breaking existing workflows. (CVE-2020-15778)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of OpenSSH running on the remote host is potentially affected by multiple vulnerabilities.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the version of the openssh packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - ** DISPUTED ** scp in OpenSSH through 8.3p1 allows     command injection in the scp.c toremote function, as     demonstrated by backtick characters in the destination     argument. NOTE: the vendor reportedly has stated that     they intentionally omit validation of 'anomalous     argument transfers' because that could 'stand a great     chance of breaking existing workflows.'(CVE-2020-15778)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :

  - scp in OpenSSH through 8.3p1 allows command injection     in scp.c remote function, as demonstrated by backtick     characters in the destination argument. NOTE: the     vendor reportedly has stated that they intentionally     omit validation of 'anomalous argument transfers'     because that could 'stand a great chance of breaking     existing workflows.'(CVE-2020-15778)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The IBM Spectrum Protect Plus running on the remote host is affected by a remote command injection vulnerability due to improper input validation in the remote function in scp.c. An unauthenticated, remote attacker can exploit this, by using backtick characters in the destination argument, to execute arbitrary commands on the system.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - scp in OpenSSH through 8.3p1 allows command injection     in the scp.c toremote function, as demonstrated by     backtick characters in the destination argument. NOTE:
    the vendor reportedly has stated that they     intentionally omit validation of 'anomalous argument     transfers' because that could 'stand a great chance of     breaking existing workflows.'(CVE-2020-15778)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
198974	RHEL 7 : openssh (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
198019	Oracle Linux 8 : openssh (ELSA-2024-3166)	Nessus	Oracle Linux Local Security Checks	high
197785	RHEL 8 : openssh (RHSA-2024:3166)	Nessus	Red Hat Local Security Checks	high
197680	CentOS 8 : openssh (CESA-2024:3166)	Nessus	CentOS Local Security Checks	high
195388	RHEL 5 : openssh (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
195377	RHEL 6 : openssh (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
179676	F5 Networks BIG-IP : SCP vulnerability (K04305530)	Nessus	F5 Networks Local Security Checks	high
169409	GLSA-202212-06 : OpenSSH: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
159492	OpenSSH PCI Disputed Vulnerabilities.	Nessus	Misc.	high
151319	EulerOS Virtualization for ARM 64 3.0.2.0 : openssh (EulerOS-SA-2021-2097)	Nessus	Huawei Local Security Checks	high
151235	EulerOS Virtualization 3.0.6.6 : openssh (EulerOS-SA-2021-2039)	Nessus	Huawei Local Security Checks	high
151168	EulerOS Virtualization for ARM 64 3.0.6.0 : openssh (EulerOS-SA-2021-2018)	Nessus	Huawei Local Security Checks	high
151155	IBM Spectrum Protect Plus OpenSSH Remote Command Injection	Nessus	Misc.	high
151035	EulerOS 2.0 SP8 : openssh (EulerOS-SA-2021-1993)	Nessus	Huawei Local Security Checks	high

Detections

Analytics

CVE-2020-15778

high

Tenable Plugins

high

high

high

high

critical

high

high

high

high

high

high

high

high

high