CVE-2020-15778: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in OpenSSH through version 8.3p1 that allows command injection in the scp.c toremote function. The vulnerability, identified as CVE-2020-15778, was discovered on June 9, 2020, and publicly disclosed on July 18, 2020. The issue specifically affects the scp program when using backtick characters in the destination argument (GitHub POC).

The vulnerability exists in the scp program's handling of file paths during remote file copying operations. When copying files to a remote server, the file path is appended at the end of the local scp command without proper sanitization. An attacker can exploit this by passing a backtick-enabled payload as a filename, which gets executed by the local shell during the scp command execution (GitHub POC).

The vulnerability allows an authenticated user to perform command injection on remote servers through carefully crafted filenames containing backtick characters. This could potentially lead to unauthorized command execution on the remote system with the privileges of the authenticated user (GitHub POC, NetApp Advisory).

The OpenSSH vendor has stated that they intentionally omit validation of 'anomalous argument transfers' as it could 'stand a great chance of breaking existing workflows.' Users are advised to use rsync or alternative secure file transfer methods if they are concerned about this vulnerability. The vendor considers this a feature rather than a security issue (CVE Mitre, OpenSSH Security).

The vulnerability has been disputed within the security community. NetApp initially rated this vulnerability but later changed their CVSS score to 0.0, indicating they no longer consider it a security vulnerability (NetApp Advisory). The OpenSSH team's position is that the scp command relies on a historical protocol (called rcp) which makes it difficult to add security features without breaking existing workflows.