March 6, US-CERT issued an announcement regarding the existence of 17-year-old remote code execution vulnerability that could affect the Point to Point Protocol daemon (pppd) software, affecting virtually all Linux-based operating system and network device firmware. The vulnerability is CVSS score Overflow Vulnerability (CVE-2020-8597) is a stack buffer 9.8.
The announcement said:
"This vulnerability is an error due to validate the input size of the memory before copying the data to be provided. Since the data size of the verification is incorrect, it is possible to copy arbitrary data into memory and cause memory corruption, which may result do not need to code .
The vulnerability eap_request eap parsing logic code, in particular by a network called eap.c input handler () and A eap_response () function.
If not enabled EAP or remote peer is not using a password or password negotiated EAP, it is not considered vulnerable pppd is incorrect. This is because after the attacker authenticated can still send unsolicited EAP packet to trigger a buffer overflow. "
Affected versions
- Point-to-Point Protocol Daemon (pppd) version 2.4.2 to 2.4.8
Affected systems and equipment
- Debian
- Linux
- NetBSD
- Enterprise Linux
- Cisco CallManager
- TP-LINK
- OpenWRT Embedded OS
- Synology (DiskStation Manager, VisualStation, Router Manager)
Solution
At present, pppd and some Linux systems has released security patches for supported products in order to fix the vulnerability. Affected users should install the patch as soon as possible.