CVE-2020-12062
published 2020-06-01CVE-2020-12062: The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.27%
80.8th percentile
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:8.3p1-1 (bookworm) | openssh 1:8.3p1-1 (bookworm) |
| openbsd | openssh | — | — |
| openbsd | openssh | >= 0 < 1:8.3p1-1 | 1:8.3p1-1 |
| openbsd | openssh | >= 0 < 1:8.3p1-1 | 1:8.3p1-1 |
| openbsd | openssh | >= 0 < 1:8.3p1-1 | 1:8.3p1-1 |
| openbsd | openssh | >= 0 < 1:8.3p1-1 | 1:8.3p1-1 |
| paloalto | prisma_sd | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-843q-w84q-c7qg: ** DISPUTED ** The scp client in OpenSSH 8
ghsa_unreviewed·2022-05-24
CVE-2020-12062 [MEDIUM] CWE-20 GHSA-843q-w84q-c7qg: ** DISPUTED ** The scp client in OpenSSH 8
** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances."
OSV
CVE-2020-12062: The scp client in OpenSSH 8
osv·2020-06-01·CVSS 7.5
CVE-2020-12062 [HIGH] CVE-2020-12062: The scp client in OpenSSH 8
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.
Palo Alto
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2024-04-05·CVSS 4.3
CVE-2007-2768 [MEDIUM] PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2007-2768, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-20012, CVE-2016-8858, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2020-12062, CVE-2021-41617, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-28531, CVE-2023-38408, CVE-2023-51384, CVE-2023-51385, CVE-2023-51767
Affected products: Prisma SD
CISA ICS
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
cisa_ics·2023-12-14
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
ICS Advisory
##
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
Release DateDecember 14, 2023
Alert CodeICSA-23-348-10
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
- Vulnerabilities: Improper Restriction of XML External Entity Reference, Time-of-check Time-of-use (TOCTOU) Race Condition, Command Injection, Miss
Red Hat
openssh: scp can send duplicate responses to the server upon a utimes system call failure leading to overwrite of arbitrary files
vendor_redhat·2020-05-27·CVSS 7.5
CVE-2020-12062 [HIGH] CWE-20 openssh: scp can send duplicate responses to the server upon a utimes system call failure leading to overwrite of arbitrary files
openssh: scp can send duplicate responses to the server upon a utimes system call failure leading to overwrite of arbitrary files
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.
Statement: Red Hat does not consider thi
Debian
CVE-2020-12062: openssh - The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the serve...
vendor_debian·2020·CVSS 7.5
CVE-2020-12062 [HIGH] CVE-2020-12062: openssh - The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the serve...
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.
Scope: local
bookworm: resolved (fixed in 1:8.3p1-1)
bullseye: resolved (fixed in 1:8.3p1-1)
forky: resolved (fixed in 1:8.3p1-1)
sid: resolved (fixed in 1:8.3p1-1)
trixie:
No detection rules found.
No public exploits indexed.
https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894https://www.openssh.com/txt/release-8.3https://www.openwall.com/lists/oss-security/2020/05/27/1https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894https://www.openssh.com/txt/release-8.3https://www.openwall.com/lists/oss-security/2020/05/27/1
2020-06-01
Published