The Point-to-Point Protocol Daemon (pppd) software comes installed on almost all Linux operating systems, and also powers the firmware of many networking devices.
While the pppd software enables data transfer between the nodes, which are primarily used to establish internet links, such as those used with dial-up modems, Virtual Private Networks (VPNs) and DSL broadband connections. But, security researcher Ilja Van Sprundel, reported a critical issue of stack buffer overflow vulnerability that exists in the Extensible Authentication Protocol (EAP) packet parser of the pppd software.
The vulnerability is marked as CVE-2020-8597 with the Common Vulnerability Scoring System (CVSS) 9.8 score; it is exploited by unauthenticated attackers to execute arbitrary code remotely on affected systems, and taking full control over them.
The Scope of the PPPD Vulnerability
As the pppd software is also adopted into lightweight IP (lwIP) project to provide pppd capabilities to small devices, the default packages of lwIP are not vulnerable to the flaw in buffer overflow. But if you use the lwIP source code, configured specifically to enable EAP at compile time, your software may likely be vulnerable to the buffer overflow.
And sending an unsolicited EAP packet to a vulnerable ppp client or server, could cause memory corruption in the pppd process, which could allow for arbitrary code execution.
Since pppd works in conjunction with kernel drivers with high privileges, the flaw could allow unauthenticated attackers to potentially execute malicious code with root-level privileges.
How to secure your Linux System
According to the security researcher, all the Point-to-Point Protocol Daemon versions 2.4.2 to 2.4.8 released in the last 17 years are vulnerable to the new remote code execution vulnerability.
It is recommended that you update your software with the latest available patches provided by the software vendor.
While assuming that pppd is not vulnerable if EAP is not enabled or has not been negotiated by a remote peer using a passphrase is incorrect. Due to the fact that an unauthenticated attacker may still be able to send unsolicited EAP packet to trigger the buffer overflow.
No comments