ID

VAR-202002-1458

CVE

CVE-2020-8597

TITLE

pppd vulnerable to buffer overflow due to a flaw in EAP packet processing

DESCRIPTION

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions. pppd (Point to Point Protocol Daemon) versions 2.4.2 through 2.4.8 are vulnerable to buffer overflow due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines. PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links including Virtual Private Networks (VPN) such as Point to Point Tunneling Protocol (PPTP). The pppd software can also authenticate a network connected peer and/or supply authentication information to the peer using multiple authentication protocols including EAP. Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system. This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code.The vulnerability is in the logic of the eap parsing code, specifically in the eap_request() and eap_response() functions in eap.c that are called by a network input handler. These functions take a pointer and length as input using the the first byte as a type. If the type is EAPT_MD5CHAP(4), it looks at an embedded 1-byte length field. The logic in this code is intended to makes sure that embedded length is smaller than the whole packet length. After this verification, it tries to copy provided data (hostname) that is located after the embedded length field into a local stack buffer. This bounds check is incorrect and allows for memory copy to happen with an arbitrary length of data. An additional logic flaw causes the eap_input() function to not check if EAP has been negotiated during the Link Control Protocol (LCP) phase. This allows an unauthenticated attacker to send an EAP packet even if ppp refused the authentication negotiation due to lack of support for EAP or due to mismatch of an agreed pre-shared passphrase in the LCP phase. The vulnerable pppd code in eap_input will still process the EAP packet and trigger the stack buffer overflow. This unverified data with an unknown size can be used to corrupt memory of the target system. The pppd often runs with high privileges (system or root) and works in conjunction with kernel drivers. This makes it possible for an attacker to potentially execute arbitrary code with system or root level privileges.The pppd software is also adopted into lwIP (lightweight IP) project to provide pppd capabilities for small devices. The default installer and packages of lwIP are not vulnerable to this buffer overflow. However if you have used the lwIP source code and configured specifically to enable EAP at compile time, your software is likely vulnerable to the buffer overflow. The recommended update is available from Git repoistory http://git.savannah.nongnu.org/cgit/lwip.git.This type of weakness is commonly associated in Common Weakness Enumeration (CWE) with CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'). A Proof-of-Concept exploit for PPTP VPN Servers with additional tools are available in the by CERT/CC PoC repository. By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. ppp Exists in a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. ========================================================================= Ubuntu Security Notice USN-4288-2 March 02, 2020 ppp vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM - Ubuntu 12.04 ESM Summary: ppp could be made to crash or run programs if it received specially crafted network traffic. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that ppp incorrectly handled certain rhostname values. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: ppp 2.4.5-5.1ubuntu2.3+esm1 Ubuntu 12.04 ESM: ppp 2.4.5-5ubuntu1.3 In general, a standard system update will make all the necessary changes. 6) - i386, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: ppp security update Advisory ID: RHSA-2020:0630-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0630 Issue date: 2020-02-27 CVE Names: CVE-2020-8597 ===================================================================== 1. Summary: An update for ppp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The ppp packages contain the Point-to-Point Protocol (PPP) daemon and documentation for PPP support. The PPP protocol provides a method for transmitting datagrams over serial point-to-point links. PPP is usually used to dial in to an Internet Service Provider (ISP) or other organization over a modem and phone line. Security Fix(es): * ppp: Buffer overflow in the eap_request and eap_response functions in eap.c (CVE-2020-8597) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ppp-2.4.5-34.el7_7.src.rpm x86_64: ppp-2.4.5-34.el7_7.x86_64.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: ppp-debuginfo-2.4.5-34.el7_7.i686.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm ppp-devel-2.4.5-34.el7_7.i686.rpm ppp-devel-2.4.5-34.el7_7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ppp-2.4.5-34.el7_7.src.rpm x86_64: ppp-2.4.5-34.el7_7.x86_64.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: ppp-debuginfo-2.4.5-34.el7_7.i686.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm ppp-devel-2.4.5-34.el7_7.i686.rpm ppp-devel-2.4.5-34.el7_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ppp-2.4.5-34.el7_7.src.rpm ppc64: ppp-2.4.5-34.el7_7.ppc64.rpm ppp-debuginfo-2.4.5-34.el7_7.ppc64.rpm ppc64le: ppp-2.4.5-34.el7_7.ppc64le.rpm ppp-debuginfo-2.4.5-34.el7_7.ppc64le.rpm s390x: ppp-2.4.5-34.el7_7.s390x.rpm ppp-debuginfo-2.4.5-34.el7_7.s390x.rpm x86_64: ppp-2.4.5-34.el7_7.x86_64.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: ppp-debuginfo-2.4.5-34.el7_7.ppc.rpm ppp-debuginfo-2.4.5-34.el7_7.ppc64.rpm ppp-devel-2.4.5-34.el7_7.ppc.rpm ppp-devel-2.4.5-34.el7_7.ppc64.rpm ppc64le: ppp-debuginfo-2.4.5-34.el7_7.ppc64le.rpm ppp-devel-2.4.5-34.el7_7.ppc64le.rpm s390x: ppp-debuginfo-2.4.5-34.el7_7.s390.rpm ppp-debuginfo-2.4.5-34.el7_7.s390x.rpm ppp-devel-2.4.5-34.el7_7.s390.rpm ppp-devel-2.4.5-34.el7_7.s390x.rpm x86_64: ppp-debuginfo-2.4.5-34.el7_7.i686.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm ppp-devel-2.4.5-34.el7_7.i686.rpm ppp-devel-2.4.5-34.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ppp-2.4.5-34.el7_7.src.rpm x86_64: ppp-2.4.5-34.el7_7.x86_64.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: ppp-debuginfo-2.4.5-34.el7_7.i686.rpm ppp-debuginfo-2.4.5-34.el7_7.x86_64.rpm ppp-devel-2.4.5-34.el7_7.i686.rpm ppp-devel-2.4.5-34.el7_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8597 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXlfen9zjgjWX9erEAQj4VxAAhoolIsxKBSxXvlTM4FIBi2+s77BlOiby 1957YccCxFTvU0YP2LWqueepO/2Z9G/dBVGvej+JruD5Uc1qrIWyZNfnD9Y5CFw/ p1yTAKt0RM4XN9TeqXRn8ufYTMOU3hG1RIksbhKA1Wo8Xwf0BTj43BN9bv/7vHwj 2GQEfp37ARKvBjrQDCKh5Yhe5vtLYHbC4NOkvZwt3pFc5Je001RFGwk5/sN2Vtiz 91jazEJ9/duWvUn6O45vu1uTXRZnlPIQJmMtlD8+KbBVS4JK4oWoi9vyKM81y2AK JMlENiPstjEHOaIrdpd1nA1GWhPen4xNFMh1+4CGp7JfFPh8eUT59B8UDkBFdFzX tEyUqqb4xpNb+k2IMR50XZM9r5lGV8RQxex37EXOIyLzz4qSv6Anq/DcoP5cGbvu iLAtSMJZz2BMJZ0a8+Cg6ynxbip1SqsgcmjbDRK/Ccf0CICvlj6apineUL9vtvBL TVEQnlqXO70uYLG3xTTLWiXqVradqATKzbUuPzvgME7aHGIRWyek4JvwCuetzR1/ nyZts/ldBvmyob6KcUF7KejKUighqDwnoTmx6vWJlOT6DT3CZaS5tTvbZNd2kJk0 nTmV6AD+yNcnI53FSh6WHPutUq3yDCQTEPojhgl13aDVXyzeAMmuzSOjFGG/+/GO iXgkiSqdt/o= =Fzi6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, ppc64le, s390x, x86_64 3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202003-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PPP: Buffer overflow Date: March 15, 2020 Bugs: #710308 ID: 202003-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overflow in PPP might allow a remote attacker to execute arbitrary code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dialup/ppp < 2.4.8 >= 2.4.8 Description =========== It was discovered that bounds check in PPP for the rhostname was improperly constructed in the EAP request and response functions. Workaround ========== There is no known workaround at this time. Resolution ========== All PPP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dialup/ppp-2.4.8" References ========== [ 1 ] CVE-2020-8597 https://nvd.nist.gov/vuln/detail/CVE-2020-8597 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202003-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . For the oldstable distribution (stretch), this problem has been fixed in version 2.4.7-1+4+deb9u1. For the stable distribution (buster), this problem has been fixed in version 2.4.7-2+4.1+deb10u1. For the detailed security status of ppp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ppp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5REqZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SD8g/9Ff6xy7FrjoHactYr1UIlubUzQvHRkou9rNWjCpos0GlTaUtYY8GIEwyT GyngmqnOnghAHw+ZrvIvJbRDfLpSsa/5V6D6Fa3v9U0RXcHM71fnLqB4KOuH8c4l cdt2zJjtmnsJFsnla1HOIB46QEfN9rBKzi5uBVBPRejFcbpzq5U3wHtb4C8w7Q3v hlPK8GDppQcT2fA7Zl3MlRy3TkmpWjq3TT3E5vjnrh2TQ4ObnmeYOSCY0d/s7pM/ pQ3bFfNZhNiWievJgMyXRFjPf132d97w0MOzrR7tTzJJfBOk8ym+yhC6c6caXycg 9ml5B2BTHZvwSRiLCE9QOtjRDrlCe69j1FzCPNibkDnJXMo/qMUbpvk/iOC0945X /LGRgLySMufDsRF6bYc0TMpLc2S9WgTFIss7gGN6GgkuHqU95N7lwvf2WqrFYJeg JAP0X+1PQhfsq06IkG5tsnYm8Dc6au8mD/+u6ADY+jUV7cFHIlbgwm/ciFjYe1N7 VZwFKnKjuokH79A6S8TW+xvlqfH/20YTtMrrQX6fZd1gqWwWjBmAWY0fPGetiVl0 yCt9OiBZG3P2FqerAeUB2fRfRaFXBmTUzxQc00D5WlAOZ7qh+6/qyh04Re6jq4zI euFQYtUBSLJxB+ZK5DuFUbYQUXodIXHRaW3t/1ydru7W/3arZrI= =abUf -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Thanks to Ilja Van Sprundel from IOActive for reporting this vulnerability. This document was written by Vijay Sarvepalli.

SOURCES

LAST UPDATE DATE

2024-11-23T20:27:31.156000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE