The US-CERT has issued a security advisory warning users of a 17-year-old critical Remote Code Execution (RCE) vulnerability that affects PPP (Point to Point Protocol Daemon) daemon software implemented in almost all Linux based operating systems.
The flaw, dubbed as CVE-2020-8597 with a 9.3 CVE score, was discovered by an IOActive security researcher, Ilja Van Sprundel.
The pppd (Point to Point Protocol Daemon) software is an implementation of Point-to-Point Protocol, which allows the communication and transfer of data between nodes, and is mainly used in the establishment of internet links over dial-up modems, DSL connections, and many other types of point-to-point links including Virtual Private Networks (VPN) such as Point to Point Tunneling Protocol (PPTP).
The pppd versions 2.4.2 through 2.4.8 are vulnerable to buffer overflow due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines.
This flaw allows an unauthenticated remote attacker to execute arbitrary code remotely on the target system and gaining root-level privileges. The vulnerability can be exploited by sending a malicious EAP packet to the vulnerable PPP client or server, via a direct link on ISDN Ethernet, SOcket, CAT, PPTP, GPRS, or ATM networks, which could cause memory corruption in the pppd process, and in turn, may allow for arbitrary code execution.
The vulnerability exists because of “an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code,” the security advisory explained.
“The vulnerability is in the logic of the eap parsing code, specifically in the eap_request() and eap_response() functions in eap.c that are called by a network input handler. These functions take a pointer and length as input using the the first byte as a type. If the type is EAPT_MD5CHAP(4), it looks at an embedded 1-byte length field. The logic in this code is intended to make sure that embedded length is smaller than the whole packet length. After this verification, it tries to copy provided data (hostname) that is located after the embedded length field into a local stack buffer. This bounds check is incorrect and allows for memory copy to happen with an arbitrary length of data.”
The following Linux distributions have been confirmed to be affected by the pppd flaw:
· SUSE Linux
· Red Hat Enterprise Linux
Additionally, applications and devices from Cisco CallManager, TP-LINK products, Synology products, and OpenWRT Embedded OS, are also vulnerable to attack as they ship the affected pppd versions.
We suggest you update your software with the latest available security patches provided by your software vendor as soon as possible.