PPP Daemon flaw opens Linux distros, networking devices to takeover attacks

A vulnerability (CVE-2020-8597) in the Point-to-Point Protocol Daemon (pppd) software, which comes installed on many Linux-based and Unix-like operating systems and networking devices, can be exploited by unauthenticated attackers to achieve code execution on – and takeover of – a targeted system.

The vulnerability affects Debian GNU/Linux, NetBSD, Red Hat, Ubuntu, OpenWRT, TP-LINK and Cisco offerings, and other software/products.

About the vulnerability (CVE-2020-8597)

Pppd is a daemon that is used to manage PPP session establishment and session termination between two nodes on Unix-like operating systems.

CVE-2020-8597 is a buffer overflow vulnerability that arose due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines.

It can be exploited remotely, without authentication, by simply sending an unsolicited, specially crafted EAP packet to a vulnerable ppp client or server.

The flaw was discovered and responsibly disclosed by Ilja Van Sprundel, Director of Penetration Testing at IOActive.

It affects pppd versions 2.4.2 through 2.4.8 and has been patched in early February.

“PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links including Virtual Private Networks (VPN) such as Point to Point Tunneling Protocol (PPTP). The pppd software can also authenticate a network connected peer and/or supply authentication information to the peer using multiple authentication protocols including EAP,” IOActive explained in a security advisory.

“Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system. This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code.”

What now?

“Update your software with the latest available patches provided by your software vendor,” IOActive advises. “It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. This is due to the fact that an authenticated attacker may still be able to send unsolicited EAP packet to trigger the buffer overflow.”

CERT/CC’s advisory provides up-to-date information about affected products by various vendors and links to those vendors advisories, which then link to fixes (when they are made available).

Tenable says that there are still no working PoCs for this vulnerability, but that they soon might be.

“One appears to be a work-in-progress, while another claims that a PoC will be released for this vulnerability ‘in a week or two when things die down.'”