CVE-2020-12062: 
NixOS vulnerability analysis and mitigation

The scp client in OpenSSH 8.2 contains a vulnerability (CVE-2020-12062) where it incorrectly sends duplicate responses to the server upon a utimes system call failure. This vulnerability was discovered in early 2020 and affects the file transfer functionality of OpenSSH (NVD).

The vulnerability occurs when receiving files through scp, where the client can become desynchronized if a utimes(2) system call fails. This desynchronization could allow file contents to be interpreted as file metadata, enabling an adversary to craft a file system that transfers different file names and contents compared to the actual file system layout when copied with scp in configurations causing utimes(2) to fail (e.g., under a SELinux policy or syscall sandbox). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (NVD, OpenSSH Release).

The impact of this vulnerability is limited as exploitation requires specific conditions. Successful exploitation is not silent - the output of scp would show transfer errors followed by the actual files received. Additionally, filenames returned from the peer are matched against the user's requested destination, preventing writes outside the user's selected target. The vendor notes that this attack cannot achieve more than what a hostile peer could already accomplish within the scp protocol (OpenSSH Release).

The vulnerability was addressed in OpenSSH 8.3, released on May 27, 2020. The fix involves changes to how scp handles utimes failures and response synchronization. Users are recommended to upgrade to OpenSSH 8.3 or later versions (OpenSSH Release).