On March 6, US-CERT issued an announcement regarding a 17-year-old remote code execution vulnerability affecting the Point-to-Point Protocol Daemon (pppd) software, affecting almost all Linux-based operating systems and network devices firmware. The vulnerability is a stack buffer overflow vulnerability (CVE-2020-8597) with a CVSS score of 9.8.
The advisory says:
“This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption, possibly leading to the execution of unwanted code.
The vulnerability is in the logic of the eap parsing code, specifically in the eap_request() and eap_response() functions in eap.c that are called by a network input handler.
It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. This is due to the fact that an authenticated attacker may still be able to send unsolicited EAP packet to trigger the buffer overflow.”
- Point-to-Point Protocol Daemon versions 2.4.2 through 2.4.8
Affected systems and equipment
- SUSE Linux
- Red Hat Enterprise Linux
- Cisco CallManager
- OpenWRT Embedded OS
- Synology (DiskStation Manager, VisualStation, Router Manager)
At present, pppd and some Linux systems have released security patches for supported products to fix the vulnerability. The affected users install the patch as soon as possible.