Remote code execution in PPP Daemon (CVE-2020-8597) could become the gateway for attackers
William Marshal
Posted On March 6, 2020
A new remote code execution vulnerability has been identified in the PPP daemon (pppd) software that comes in most of the Linux operating systems and also in other networking devices that works on the basis of this PPPd software. The US-CERT had announced this vulnerability today through their security advisory. Point-to-Point Protocol (PPP) facilitates the communication and transferring of data among the internet links like modems, broadband connections and VPNs. This vulnerability is tracked as CVE-2020-8597 and has been given a score of 9.8, showing how critical is the flaw.
First discovered by Ilja Sprundel, the issue is because of a stack buffer overflow vulnerability in PPP demon software. The vulnerability exists because of a logical error in the Extensible Authentication Protocol (EAP) packet parser in the software.
How can attackers exploit this vulnerability?
Attackers just need to send unsolicited malformed EAP packet to the vulnerable PPP agent or the server. Also, because of the escalated privileges for the pppd software, and combines with the kernel drivers, this vulnerability has the potential to let attackers take root-level controls to the system.
Furthermore, the vulnerability doesn’t validate the size of input before processing the data that is being supplied to it, an arbitrary data can be copied into memory and result in memory corruption, thus opening doors to unwanted codes being executed. The logic of eap parsing code is where the vulnerability exists, which is requested by the network input handler.
Though users disable the EAP or the same hasn’t been negotiated by a passphrase from a peer, attackers can still execute the attack by sending unsolicited EAP packer and initiate the buffer overflow.
Vulnerable operating systems and applications
According to Sprundel, PPP Daemon’s versions from 2.4.2 to 2.4.8 is affected by this remote code execution vulnerability.
The affected OSs are Debian, SUSE Linux, Ubuntu, Fedora, Red Hat Enterprise Linux, and NetBSD. Also, the affected applications are, TP-Link products, OpenWRT Embedded OS, Synology products, and Cisco CallManager. Users who are affected by this vulnerability are requested to update their operating system and applications with the right seurity patches before the attackers sneak-in.
Subscribe to ‘The Cybersecurity Times’, for daily alerts on cyber events. You can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.
