All SCP ( Secure Copy Protocol ) carrying out from the death 36 eld since 1983 are vulnerable to four security department hemipterous insect that set aside a malicious SCP server to give unauthorised change to the ( substance abuser ) arrangement of a node and veil malicious performance in the twist . The vulnerability have been describe by Harry Sintonen , a surety research worker with Suomi cyber certificate unbendable F - Secure , who has been work since August of shoemaker’s last twelvemonth to fixing and while them in the Major SCP communications protocol application program . For our reader not intimate with SCP , the communications protocol is a “ strong ” RCP ( Remote Copy Protocol ) effectuation - a protocol for transfer Indian file over a meshwork . SCP maneuver in addition to the SSH communications protocol and fend for an assay-mark mechanism to put up legitimacy and confidentiality for transfer Indian file , merely as SSH supply the like for the elderly and insecure Telnet communications protocol . jump habituate devoid ssh vulnerability electronic scanner on-line to forbid from drudge . SCP has been apply as a standalone app under the same epithet since its number one dismission rearward in 1983 , but has besides been admit in other apps . For example , SCP is the measure method acting of file away channelise for OpenSSH , Putty and WinSCP . Whenever user transpose Indian file ( or vice versa ) between a server and a guest via these apps , they are transport via the SCP communications protocol , stranger to the drug user , unless substance abuser have take to usance the SFTP communications protocol as the nonremittal modality for information transport . In a protection consultative issue net workweek on his personal site , Sintonen give away that there exist four John Major security system wiretap touch on SCP implementation : CVE-2018 - 20685- A SCP client app set aside a outback SCP server to qualify the objective directory ’s permission . CVE-2019 - 6111- An SCP malicious server can overwrite arbitrary file in the point directory of the SCP customer . If a recursive ( -r ) functioning is transport out , the server can besides fudge fill in - directory ( for instance overwrite.ssh/authorized paint ) . CVE-2019 - 6109- ANSI write in code can be put-upon to pull wires end client production to cover subsequent operation . CVE-2019 - 6110- relative to the in a higher place , the job are rout in the pilot carrying out of the RCP protocol by the BSD , which intend that all SCP execution in the survive 36 days have been impress to a different extent . only when the WinSCP squad plow the trouble account with the release of WinSCP 5.14 at the prison term of piece of writing . If patch up is not an selection or out of the exploiter ’s ensure , SCP node should be configured to petition data file via SFTP ( Secure FTP ) . It should be far-famed that any tone-beginning that may undertake to effort these exposure bet on a malicious political party that rent over a SCP server or is in a world - in – the - centre military position , although the MitM lash out may be light to observe because the victim postulate to swallow the wrong legion fingerprint . After the publishing escort of this article , substance abuser who consider they may be dissemble can sustain an center on Sirtonen ’s security system consultive for update info on coming speckle for other SCP customer . We will practice our well to update this clause .