The US-CERT today issued advisory warning users of a new dangerous 17-year-old remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems, as well as powers the firmware of many other networking devices.
The affected pppd software is an implementation of Point-to-Point Protocol (PPP) that enables communication and data transfer between nodes, primarily used to establish internet links such as those over dial-up modems, DSL broadband connections, and Virtual Private Networks.
Discovered by IOActive security researcher Ilja Van Sprundel, the critical issue is a stack buffer overflow vulnerability that exists due to a logical error in the Extensible Authentication Protocol (EAP) packet parser of the pppd software, an extension that provides support for additional authentication methods in PPP connections.
The vulnerability, tracked as CVE-2020-8597 with CVSS Score 9.8, can be exploited by unauthenticated attackers to remotely execute arbitrary code on affected systems and take full control over them.
For this, all an attacker needs to do is to send an unsolicited malformed EAP packet to a vulnerable ppp client or a server over a direct serial link, ISDN, Ethernet, SSH, SOcket CAT, PPTP, GPRS, or ATM networks.
Additionally, since pppd often runs with high privileges and works in conjunction with kernel drivers, the flaw could allow attackers to potentially execute malicious code with the system or root-level privileges.
“This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption, possibly leading to the execution of unwanted code,” the advisory says.
“The vulnerability is in the logic of the eap parsing code, specifically in the eap_request() and eap_response() functions in eap.c that are called by a network input handler.”
“It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. This is due to the fact that an authenticated attacker may still be able to send unsolicited EAP packet to trigger the buffer overflow.”
images from Hacker News