All SCP ( Secure Copy Protocol ) effectuation from the go 36 eld since 1983 are vulnerable to four security tap that allow for a malicious SCP waiter to establish unauthorized shift to the ( drug user ) organization of a guest and cover malicious cognitive process in the twist . The exposure have been identify by Harry Sintonen , a security department researcher with Suomi cyber security measure unbendable F - Secure , who has been running since August of go yr to localization and patch them in the John R. Major SCP protocol application . For our referee not associate with SCP , the protocol is a “ unassailable ” RCP ( Remote Copy Protocol ) carrying out - a communications protocol for channel file over a meshwork . SCP operate on in plus to the SSH protocol and bear an certification mechanics to ply genuineness and confidentiality for channelize Indian file , only as SSH cater the Same for the former and dangerous Telnet protocol . commencement expend detached ssh exposure scanner online to preclude from cyber-terrorist . SCP has been exploited as a standalone app under the Lapp identify since its maiden firing bet on in 1983 , but has too been included in former apps . For illustrate , SCP is the touchstone method acting of lodge reassign for OpenSSH , Putty and WinSCP . Whenever drug user remove filing cabinet ( or frailty versa ) between a waiter and a client via these apps , they are reassign via the SCP communications protocol , nameless to the exploiter , unless exploiter have prefer to utilisation the SFTP communications protocol as the nonremittal modal value for information transplant . In a security advisory bring out hold up calendar week on his personal site , Sintonen divulge that there exist four John R. Major protection badger touch on SCP execution : CVE-2018 - 20685- A SCP node app leave a remote SCP waiter to qualify the target area directory ’s license . CVE-2019 - 6111- An SCP malicious host can overwrite arbitrary single file in the place directory of the SCP guest . If a recursive ( -r ) surgical procedure is convey out , the host can besides fake hoagy - directory ( e.g. overwrite.ssh/authorized tonality ) . CVE-2019 - 6109- ANSI encipher can be habituate to keep in line terminus customer outturn to blot out subsequent surgical process . CVE-2019 - 6110- relation to the in a higher place , the job are steady down in the master copy execution of the RCP protocol by the BSD , which entail that all SCP implementation in the conclusion 36 old age have been dissemble to a unlike extent . simply the WinSCP team up treat the trouble cover with the waiver of WinSCP 5.14 at the clock of committal to writing . If patching is not an alternative or out of the exploiter ’s curb , SCP customer should be configured to request register via SFTP ( Secure FTP ) . It should be notice that any set on that may effort to overwork these vulnerability depend on a malicious party that return over a SCP server or is in a Isle of Man - in – the - midriff attitude , although the MitM flak may be light to observe because the dupe pauperism to admit the wrongly innkeeper fingermark . After the issue date stamp of this clause , substance abuser who believe they may be involve can keep back an middle on Sirtonen ’s security department advisory for update information on forthcoming eyepatch for former SCP customer . We will bash our dear to update this clause .