SCP Protocol
Overview of SCP protocol covering its SSH-based operation, known vulnerabilities, deprecation status, and migration path to SFTP for secure file transfers.
Continue your mission
Overview of SCP protocol covering its SSH-based operation, known vulnerabilities, deprecation status, and migration path to SFTP for secure file transfers.
# SCP Protocol
Secure Copy Protocol (SCP) is a file transfer protocol that uses SSH to provide encryption and authentication for copying files between hosts. Based on the legacy RCP (Remote Copy Protocol), SCP emerged in the 1990s as a secure replacement for plaintext file transfer methods like FTP and RCP. The protocol became ubiquitous in Unix and Linux environments because it offered a simple command-line interface for encrypted file transfers without requiring separate daemon configuration or complex setup procedures.
SCP exists as a network protocol specification and as a client-server implementation. The protocol piggybacks on SSH for all cryptographic operations, meaning any system with SSH capability can support SCP transfers. This design made SCP adoption straightforward: administrators who were already using SSH for remote shell access could immediately transfer files securely using the same authentication credentials and network infrastructure.
The protocol fills a specific niche in the file transfer ecosystem. Unlike full-featured protocols like SFTP or FTPS, SCP provides only basic copy functionality. It cannot resume interrupted transfers, perform directory listings, or modify remote files. This simplicity was initially seen as an advantage because SCP transfers behaved like local file copy operations, making the protocol intuitive for system administrators familiar with the cp command. However, this same simplicity has become a liability as security requirements have evolved and more sophisticated file transfer protocols have matured.
SCP operates within the broader SSH protocol family, which includes SSH for shell access, SFTP for file transfer, and SSH tunneling for port forwarding. While SSH itself remains secure and widely deployed, SCP represents the weakest link in this family due to architectural decisions that made sense in the 1990s but create security vulnerabilities in modern environments.
SCP establishes an SSH connection between client and server, then executes shell commands on the remote system to facilitate file transfer. This approach differs fundamentally from protocols like SFTP, which implement file transfer operations as discrete protocol commands rather than shell execution.
The SCP transfer process begins with standard SSH authentication. The client connects to the server using SSH, authenticating with public key, password, or certificate-based methods. Once the SSH session is established, the client executes the scp command on the remote host, passing parameters that specify the transfer mode and file information.
SCP operates in two distinct modes: source mode and sink mode. In source mode, the remote system sends files to the client. The client connects to the server and executes a command like scp -f /path/to/file, which instructs the server to enter source mode and send the specified file. The server responds with a control message containing file metadata (permissions, size, timestamp), followed by the raw file data. In sink mode, the remote system receives files from the client. The client executes scp -t /destination/path on the server, which puts the server into sink mode to receive incoming files.
The control protocol uses simple ASCII messages to coordinate transfers. A typical source mode transfer begins with the server sending a message like C0644 1024 filename.txt to indicate a regular file with octal permissions 0644, size 1024 bytes, and filename filename.txt. The client acknowledges with a null byte, the server transmits exactly 1024 bytes of file data, and the client sends another null byte to confirm receipt. Error conditions are signaled by sending ASCII error codes instead of null bytes.
For directory transfers using the -r recursive flag, SCP sends directory start messages (D prefix), file messages for directory contents, and directory end messages (E prefix). This allows complete directory tree replication while preserving permissions and timestamps.
Authentication follows standard SSH patterns. Public key authentication uses RSA, ECDSA, or Ed25519 keypairs. Password authentication prompts for credentials. Certificate-based authentication validates SSH certificates against trusted certificate authorities. All authentication mechanisms benefit from SSH's protection against replay attacks and man-in-the-middle attacks when properly configured.
SCP inherits SSH's encryption capabilities, supporting modern ciphers like AES-128 and ChaCha20-Poly1305, as well as legacy algorithms like 3DES for backward compatibility. Key exchange uses Diffie-Hellman variants including curve25519-sha256 and diffie-hellman-group14-sha256. Message authentication codes (MACs) like hmac-sha2-256 ensure data integrity.
The protocol supports several command-line options that modify transfer behavior. The -p flag preserves modification times and access times. The -r flag enables recursive directory copying. The -C flag enables compression using SSH's built-in compression algorithms. The -l flag limits bandwidth usage. These options are passed through the SSH connection to the remote scp process.
However, this shell-execution architecture creates fundamental security problems. Because SCP relies on executing commands on the remote system, a malicious server can inject arbitrary data into what the client expects to be file transfer protocol messages. The server can send control messages that cause the client to write files to unexpected locations, overwrite existing files with malicious content, or create files with dangerous permissions.
SCP's security vulnerabilities represent a significant risk because the protocol remains widely deployed despite being officially deprecated. Organizations continue using SCP in automated scripts, backup procedures, and deployment pipelines, often without awareness of the associated security issues.
The most serious vulnerability involves malicious servers exploiting SCP's protocol design to compromise clients. CVE-2019-6111 demonstrates how a rogue server can overwrite arbitrary files on the client system during a download operation. The server accomplishes this by sending malformed control messages that include directory traversal sequences like ../../../etc/passwd in filenames. Because SCP processes these messages as shell commands rather than structured protocol data, insufficient validation allows the server to write files outside the intended destination directory.
This vulnerability is particularly dangerous because it subverts the expected trust model. Administrators typically assume that downloading files from a server poses minimal risk to the client system, especially when using an "secure" protocol like SCP. However, SCP's architecture means that any file download operation grants the server limited but potentially sufficient access to modify the client filesystem. In environments where SCP is used to retrieve files from multiple sources or from systems with shared administrative access, this creates substantial attack surface.
Beyond the headline vulnerability, SCP's design creates operational problems that impact security posture. The protocol cannot resume interrupted transfers, forcing retransmission of large files when network connectivity is unreliable. This limitation makes SCP unsuitable for transferring large datasets over unreliable connections, leading administrators to choose less secure alternatives like unencrypted FTP or to disable network security controls that might interrupt long-running transfers.
SCP also lacks modern file transfer features that support secure operations. The protocol cannot verify file integrity beyond basic size checks, making it difficult to detect corruption or tampering during transit. It provides no built-in support for bandwidth throttling beyond the crude -l option, making it challenging to transfer files without impacting production network performance. The protocol cannot perform partial file operations like seeking to specific offsets, preventing efficient synchronization workflows that only transfer changed portions of large files.
The business impact extends beyond technical limitations to compliance and audit concerns. Many regulatory frameworks require organizations to maintain detailed logs of data transfers, especially for sensitive information like personally identifiable information or protected health information. SCP provides minimal logging capabilities compared to modern file transfer protocols, making it difficult to demonstrate compliance with requirements for transfer monitoring and data loss prevention.
Organizations face a hidden cost from SCP's continued use in the form of technical debt. Scripts and automation systems built around SCP often require substantial modification to migrate to more secure protocols like SFTP. This migration cost creates an incentive to defer the work, leaving vulnerable protocols in production longer than necessary. However, the alternative is accepting ongoing exposure to known vulnerabilities in a deprecated protocol.
SCP deprecation falls squarely within the Security Protocol Hygiene (SPH) domain of CDA's Preventive Defense Model. SPH focuses on eliminating vulnerable protocols and configurations before they can be exploited, rather than detecting and responding to attacks after they occur. SCP represents a textbook case of protocol hygiene failure: a widely deployed technology with known vulnerabilities that organizations continue using despite the availability of superior alternatives.
CDA's Autonomous Posture Command methodology approaches SCP through continuous posture monitoring rather than periodic assessments. APC recognizes that organizations often migrate away from deprecated protocols during security reviews, only to reintroduce them through new deployments, vendor integrations, or staff changes. The "your hygiene never sleeps" principle means that SCP detection and remediation must be ongoing, automated processes rather than one-time projects.
During C-RECON (Continuous Reconnaissance) missions, CDA operators specifically inventory SCP usage across the environment. This includes obvious instances like interactive scp commands in shell histories, but also hidden usage in backup scripts, deployment automation, configuration management tools, and third-party software. Many organizations discover that vendor-supplied tools or legacy applications use SCP internally, even when the organization has explicitly standardized on SFTP for file transfers.
C-BUILD (Continuous Building) missions treat SCP elimination as a hardening requirement comparable to disabling unnecessary services or removing default accounts. The methodology recognizes that simply documenting SCP usage is insufficient; the protocol must be actively blocked at network and application layers to prevent reintroduction. This often involves SSH server configuration changes to disable SCP while maintaining SFTP functionality, firewall rules that log and block SCP traffic patterns, and endpoint monitoring that alerts on new SCP client installations.
CDA's approach differs from conventional vulnerability management in several important ways. Traditional security programs often focus on SCP's CVE-2019-6111 vulnerability as a discrete issue to be patched or mitigated. CDA treats SCP usage as a systemic hygiene failure that indicates broader problems with protocol standardization and change management. An organization that continues using SCP likely has similar issues with other deprecated protocols like SSLv3, weak cipher suites, or legacy authentication methods.
The APC methodology also addresses the operational resistance that often prevents SCP migration. Rather than mandating immediate replacement of all SCP usage, CDA operators work with application teams to identify the specific file transfer requirements that SCP currently fulfills. In many cases, organizations discover that their SCP usage could be replaced with more secure alternatives that also provide better functionality, performance, and monitoring capabilities.
CDA emphasizes automation in SCP remediation because manual migration efforts frequently stall due to competing priorities and resource constraints. APC implementations include automated discovery of SCP usage, automated testing of SFTP replacements, and automated deployment of configuration changes that disable SCP while enabling SFTP. This automation ensures that SCP elimination progresses consistently rather than depending on manual effort that may be deferred or forgotten.
The preventive defense model treats SCP deprecation as an opportunity to improve overall file transfer security posture rather than simply addressing a single protocol vulnerability. Organizations that successfully eliminate SCP typically implement comprehensive file transfer standards that address authentication, encryption, logging, and data loss prevention across all file transfer mechanisms. This holistic approach provides protection against future protocol vulnerabilities and operational improvements that extend beyond security.
• SCP is officially deprecated due to fundamental architectural flaws that allow malicious servers to overwrite arbitrary files on client systems during downloads (CVE-2019-6111)
• The protocol's reliance on remote shell execution makes it inherently vulnerable to injection attacks and prevents implementation of modern file transfer security features
• SFTP provides equivalent functionality with superior security, logging, and operational capabilities, making SCP migration both necessary and beneficial
• Organizations often underestimate SCP usage because the protocol appears in automated scripts, vendor tools, and legacy applications beyond obvious interactive usage
• CDA's SPH domain treats SCP elimination as ongoing protocol hygiene rather than a one-time migration project, requiring continuous monitoring and automated remediation
• SSH Protocol Security • SFTP Implementation Best Practices • Legacy Protocol Migration Strategies • Security Protocol Hygiene (SPH) • Autonomous Posture Command (APC): Hygiene That Never Sleeps
• National Institute of Standards and Technology. "Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security." NIST Special Publication 800-46 Revision 2, July 2016.
• OpenSSH Project. "Legacy Certificate and Protocol Deprecation." OpenSSH Release Notes 8.0, April 2019.
• Common Vulnerabilities and Exposures. "CVE-2019-6111: scp client vulnerability allows overwrite of arbitrary files during scp download." MITRE Corporation, January 2019.
• Internet Engineering Task Force. "The Secure Shell (SSH) File Transfer Protocol." RFC 4253, January 2006.
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.