Nasty Linux PPPD vulnerability

This looks like a nasty vulnerability. It seems that a newly found critical 17-years-old remote code execution (RCE) vulnerability could open nearly all popular #Linux based operating systems and many embedded devices to remote hackers. Many widely-used Linux distributions have already been confirmed impacted.

Hacker news writes:

The US-CERT today issued advisory warning users of a new dangerous remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems. Affected versions are 2.4.2 through 2.4.8 (all versions released in the last 17 years).
A critical stack buffer overflow vulnerability exists due to a logical error in the Extensible Authentication Protocol (EAP) packet parser of the pppd software.

To me this sounds a bit nasty. PPP is not just an old protocol that were once used to connect to Internet using old fashioned telephone line modems. PPP is very much in use inside many technologies in use today. For example PPP (PPPoE) is used in many ADSL connections and PPP is used when communicating with most 3G/4F modems (thus in use with 3G USB dongles, wireless network gateways, inside IoT devices and even inside smartphones/tablets). It looks like this vulnerability can have wide potential consequences and maybe need to update many devices.

Page https://kb.cert.org/vuls/id/782301/ says:

By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution.
Update your software with the latest available patches provided by your software vendor. It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase.

Arbitrary code execution by an unauthenticated remote sounds pretty nasty to me: An unauthenticated attacker may be able to exploit this to trigger a stack-based buffer overflow, which can cause arbitrary code execution. The vulnerability, tracked as CVE-2020-8597 with CVSS Score 9.3, can be exploited by unauthenticated attackers to remotely execute arbitrary code on affected systems and take full control over them. All an attacker needs to do is to send an unsolicited malformed EAP packet to a vulnerable ppp client or a server over a direct serial link, ISDN, Ethernet, SSH, SOcket CAT, PPTP, GPRS, or ATM networks.

Te recommended solution is to update your software with the latest available patches provided by your software vendor. It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. If your software is packaged and created from the ppp source code, you can obtain the latest software from github pppd repository at https://github.com/paulusmack/ppp

2 Comments

  1. Tomi Engdahl says:

    multiple GitHub repositories have been published that may soon host a working PoC. One appears to be a work-in-progress, while another claims that a PoC will be released for this vulnerability “in a week or two when things die down.”
    https://www.tenable.com/blog/cve-2020-8597-buffer-overflow-vulnerability-in-point-to-point-protocol-daemon-pppd

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*