A 17-year-old remote code execution bug that impacts the PPP daemon software (pppd) in nearly all Linux operating systems was just reported.
The PPP daemon comes installed on a wide range of Linux distros, and it also powers the firmware of a range of networking devices. The RCE vulnerability is also known as CVE-2020-8597, and was discovered by IOActive security researcher Ilja Van Sprundel.
It should be mentioned that pppd is an implementation of Point-to-Point Protocol (PPP) that serves to enable communication and data transfer between nodes. These nodes are mainly used to establish internet links like the ones over dial-up modems, DSL broadband connections, and Virtual Private Networks.
More about PPP daemon (pppd)
“PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links including Virtual Private Networks (VPN) such as Point to Point Tunneling Protocol (PPTP). The pppd software can also authenticate a network connected peer and/or supply authentication information to the peer using multiple authentication protocols including EAP,” explains the CERT Coordination Center.
The CVE-2020-8597 Flaw Explained
There is a flaw in the Extensible Authentication Protocol (EAP) packet processing in pppd, and it could allow an unauthenticated, remote attacker to cause a stack buffer overflow. This could then allow arbitrary code execution of the particular Linux system. It could also be said that CVE-2020-8597 is a result of an error in validating of the data size of input before copying the supplied data into memory.
“As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code,” the official advisory says.
In addition, CVE-2020-8597 is located in the logic of the eap parsing code, more specifically in the eap_request() and eap_response() functions in eap.c that are called by a network input handler.
Who is affected?
It has been confirmed that the following popular Linux distros have been affected by the flaw: Debian, Ubuntu, SUSE Linux, Fedora, NetBSD, and Red Hat Enterprise Linux. Other affected applications and devices include Cisco CallManager, TP-Link products, OpenWRT Embedded OS, and Synology products.
The ultimate advice is to update the affected software with the latest available patches provided by the specific software vendor. “It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. This is due to the fact that an authenticated attacker may still be able to send unsolicited EAP packet to trigger the buffer overflow,” the advisory says.