Pierluigi Paganini March 06, 2020

A critical remote code execution vulnerability affecting the PPP Daemon exposes most Linux systems to cyber attacks.

A 17-year-old critical remote code execution vulnerability affecting the PPP Daemon software exposes most Linux systems to hack.

The US-CERT issued a security advisory warning users of the RCE in the PPP daemon (pppd) software that is part of almost all Linux based operating systems.

The pppd software is an implementation of Point-to-Point Protocol (PPP) that is used to establish internet links over dial-up modems, DSL connections, and many other types of point-to-point links.

The flaw, tracked as CVE-2020-8597, was discovered by the expert Ilja Van Sprundel from IOActive, it is a stack buffer overflow issue that is caused by a logical error in the Extensible Authentication Protocol (EAP) packet parser of the pppd software.

The vulnerability can be exploited by remote attackers to execute arbitrary code on affected systems and take full control over them.

It could be exploited by sending an unsolicited malformed EAP packet to a vulnerable ppp client or a server.

The CVE-2020-8597 remote code execution issue received a CVSS Score 9.8, it affects PPP Daemon versions 2.4.2 through 2.4.8.

“This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code.” reads the security advisory published by the expert.

“The vulnerability is in the logic of the eap parsing code, specifically in the eap_request() and eap_response() functions in eap.c that are called by a network input handler.”

The expert pointed out that the pppd often runs with high privileges (system or root) and works in conjunction with kernel drivers. This means that the attacker could exploit the issue to potentially execute arbitrary code with high privileges.

“It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. This is due to the fact that an authenticated attacker may still be able to send unsolicited EAP packet to trigger the buffer overflow.” continues the advisory.

The vulnerability affects the most popular Linux distributions, below the associated advisories:

• Debian
• Ubuntu
• SUSE Linux
• Fedora
• NetBSD
• Red Hat Enterprise Linux

Pierluigi Paganini

(SecurityAffairs – PPP, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]