Point-to-Point Protocol (PPP) Vulnerebility
The US-CERT today issued advisory
warning users of a new dangerous 17-year-old remote code execution vulnerability
affecting the PPP daemon (pppd) software that comes installed on almost all
Linux based operating systems, as well as powers the firmware of many other
networking devices.
The affected pppd software is an implementation of Point-to-Point Protocol (PPP)
that enables communication and data transfer between nodes, primarily used to
establish internet links such as those over dial-up modems, DSL broadband
connections, and Virtual Private Networks.
Discovered by IOActive security researcher Ilja Van Sprundel, the critical issue
is a stack buffer overflow vulnerability that exists due to a logical error in
the Extensible Authentication Protocol (EAP) packet parser of the pppd software.
The vulnerability, tracked as CVE-2020-8597 with CVSS Score 9.8, can be
exploited by unauthenticated attackers to remotely execute arbitrary code on
affected systems and take full control over them.
For this, all an attacker needs to do is to send an unsolicited malformed EAP
packet to a vulnerable ppp client or a server.
Additionally, since pppd often runs with high privileges and works in
conjunction with kernel drivers, the flaw could allow attackers to potentially
execute malicious code with the system or root-level privileges.
"This vulnerability is due to an error in validating the size of the input
before copying the supplied data into memory. As the validation of the data size
is incorrect, arbitrary data can be copied into memory and cause memory
corruption, possibly leading to the execution of unwanted code," the advisory
says.
"The vulnerability is in the logic of the eap parsing code, specifically in the
eap_request() and eap_response() functions in eap.c that are called by a network
input handler."
"It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or
EAP has not been negotiated by a remote peer using a secret or passphrase. This
is due to the fact that an authenticated attacker may still be able to send
unsolicited EAP packet to trigger the buffer overflow."
pppd Bug: Affected Operating Systems and Devices
According to the researcher, Point-to-Point Protocol Daemon versions 2.4.2
through 2.4.8 — all versions released in the last 17 years — are vulnerable to
this new remote code execution vulnerability.
Some of the widely-used, popular Linux distributions, listed below, have already
been confirmed impacted, and many other projects are most likely affected as
well.
Debian
Ubuntu
SUSE Linux
Fedora
NetBSD
Red Hat Enterprise Linux
Besides this, the list of other vulnerable applications and devices (some of
them listed below) that ship the pppd software is also likely extensive, opening
a large attack surface for hackers.
Cisco CallManager
TP-LINK products
OpenWRT Embedded OS
Synology products
Users with affected operating systems and devices are advised to apply security
patches as soon as possible, or when it becomes available.