CVE-2018-20685

MEDIUM EXPLOITED IN THE WILD RANSOMWARE

OpenSSH < 7.9 - Incorrect Authorization via SCP Filename Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-20685 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns.

Description

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2019/dsa-4387
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/3885-1/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/201903-16
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3702
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202007-53

Scores

CVSS v3 5.3
EPSS 0.0338
EPSS Percentile 87.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2020-07-19
InTheWild.io 2022-05-25
Ransomware Use Confirmed
CWE
CWE-863
Status published
Products (34)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
debian/debian_linux 8.0
debian/debian_linux 9.0
fujitsu/m10-1_firmware < xcp2361
fujitsu/m10-4_firmware < xcp2361
fujitsu/m10-4s_firmware < xcp2361
fujitsu/m12-1_firmware < xcp2361
... and 24 more
Published Jan 10, 2019
Tracked Since Feb 18, 2026