{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/scp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35385"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["openssh","scp","privilege-escalation","cve-2026-35385"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenSSH, a suite of secure networking utilities based on the Secure Shell (SSH) protocol, is affected by a vulnerability (CVE-2026-35385) in versions prior to 10.3. The vulnerability arises when using the \u003ccode\u003escp\u003c/code\u003e command to download files as the root user with the \u003ccode\u003e-O\u003c/code\u003e (legacy SCP protocol) option and without the \u003ccode\u003e-p\u003c/code\u003e option (preserve mode). In this specific scenario, the downloaded file may be inadvertently installed with the setuid or setgid bits set. This behavior contradicts the expectations of some users, potentially leading to privilege escalation or other security misconfigurations. The vulnerability was publicly disclosed on April 2, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a system where a user has \u003ccode\u003escp\u003c/code\u003e installed and configured to connect to a remote server.\u003c/li\u003e\n\u003cli\u003eThe user, operating as root, initiates an \u003ccode\u003escp\u003c/code\u003e download using the command \u003ccode\u003escp -O user@host:/path/to/file /local/path/\u003c/code\u003e. The \u003ccode\u003e-p\u003c/code\u003e option is omitted, and the \u003ccode\u003e-O\u003c/code\u003e flag is used, triggering the legacy SCP protocol.\u003c/li\u003e\n\u003cli\u003eThe remote server serves the file \u003ccode\u003e/path/to/file\u003c/code\u003e. This file could have the setuid or setgid bits set.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escp\u003c/code\u003e, due to the vulnerability, incorrectly handles the file permissions during the download process.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is placed at \u003ccode\u003e/local/path/\u003c/code\u003e with the setuid or setgid bits unexpectedly preserved from the remote server.\u003c/li\u003e\n\u003cli\u003eA local user executes the downloaded file \u003ccode\u003e/local/path/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the setuid or setgid bit is set, the process executes with elevated privileges, potentially leading to unauthorized access or modification of system resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unintended privilege escalation on the affected system. If a user downloads a file with the setuid bit set, an attacker could potentially execute the file with the privileges of the file owner (typically root). While the vulnerable scenario requires the user to be root and explicitly use the \u003ccode\u003e-O\u003c/code\u003e flag without \u003ccode\u003e-p\u003c/code\u003e, it can still represent a significant risk in environments where legacy SCP usage is prevalent or where users are unaware of the implications of these options. This scenario may affect a limited number of users who are using the specific vulnerable configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenSSH to version 10.3 or later to patch the vulnerability (\u003ca href=\"https://www.openssh.org/releasenotes.html#10.3p1)\"\u003ehttps://www.openssh.org/releasenotes.html#10.3p1)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAvoid using the \u003ccode\u003e-O\u003c/code\u003e option (legacy SCP protocol) with \u003ccode\u003escp\u003c/code\u003e, especially when downloading files as the root user. Use \u003ccode\u003esftp\u003c/code\u003e or \u003ccode\u003ersync\u003c/code\u003e as a more secure alternative.\u003c/li\u003e\n\u003cli\u003eAlways use the \u003ccode\u003e-p\u003c/code\u003e option to preserve file permissions when downloading files with \u003ccode\u003escp\u003c/code\u003e to ensure that the downloaded file\u0026rsquo;s permissions are explicitly controlled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the usage of \u003ccode\u003escp\u003c/code\u003e with the \u003ccode\u003e-O\u003c/code\u003e flag, which is indicative of using the vulnerable legacy protocol.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T17:16:27Z","date_published":"2026-04-02T17:16:27Z","id":"/briefs/2026-04-openssh-scp-setuid/","summary":"OpenSSH versions before 10.3 allow for the potential installation of setuid or setgid files when using scp to download files as root with the -O option (legacy SCP protocol) and without the -p option (preserve mode), contrary to user expectations.","title":"OpenSSH scp Insecure File Permission Vulnerability (CVE-2026-35385)","url":"https://feed.craftedsignal.io/briefs/2026-04-openssh-scp-setuid/"}],"language":"en","title":"CraftedSignal Threat Feed — Scp","version":"https://jsonfeed.org/version/1.1"}