This looks like a nasty vulnerability. It seems that a newly found critical 17-years-old remote code execution (RCE) vulnerability could open nearly all popular #Linux based operating systems and many embedded devices to remote hackers. Many widely-used Linux distributions have already been confirmed impacted.
The US-CERT today issued advisory warning users of a new dangerous remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems. Affected versions are 2.4.2 through 2.4.8 (all versions released in the last 17 years).
A critical stack buffer overflow vulnerability exists due to a logical error in the Extensible Authentication Protocol (EAP) packet parser of the pppd software.
To me this sounds a bit nasty. PPP is not just an old protocol that were once used to connect to Internet using old fashioned telephone line modems. PPP is very much in use inside many technologies in use today. For example PPP (PPPoE) is used in many ADSL connections and PPP is used when communicating with most 3G/4F modems (thus in use with 3G USB dongles, wireless network gateways, inside IoT devices and even inside smartphones/tablets). It looks like this vulnerability can have wide potential consequences and maybe need to update many devices.
Page https://kb.cert.org/vuls/id/782301/ says:
By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution.
Update your software with the latest available patches provided by your software vendor. It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase.
Arbitrary code execution by an unauthenticated remote sounds pretty nasty to me: An unauthenticated attacker may be able to exploit this to trigger a stack-based buffer overflow, which can cause arbitrary code execution. The vulnerability, tracked as CVE-2020-8597 with CVSS Score 9.3, can be exploited by unauthenticated attackers to remotely execute arbitrary code on affected systems and take full control over them. All an attacker needs to do is to send an unsolicited malformed EAP packet to a vulnerable ppp client or a server over a direct serial link, ISDN, Ethernet, SSH, SOcket CAT, PPTP, GPRS, or ATM networks.
Te recommended solution is to update your software with the latest available patches provided by your software vendor. It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. If your software is packaged and created from the ppp source code, you can obtain the latest software from github pppd repository at https://github.com/paulusmack/ppp
5 Comments
Tomi Engdahl says:
multiple GitHub repositories have been published that may soon host a working PoC. One appears to be a work-in-progress, while another claims that a PoC will be released for this vulnerability “in a week or two when things die down.”
https://www.tenable.com/blog/cve-2020-8597-buffer-overflow-vulnerability-in-point-to-point-protocol-daemon-pppd
Tomi Engdahl says:
https://access.redhat.com/security/cve/cve-2020-8597
CVSS v3 Base Score 9.8
driving directions says:
I have learned about it and know the difficulty, your information is complete and thanks for sharing
Kalonkis xelosani says:
thanks for sharing
mike williams says:
thanks for sharing this really interesting and helpful post: Aviabiletebi