Security Alert (A20-03-01): Vulnerability in Point-to-Point Protocol Daemon (pppd)


 

Published on: 06 March 2020

  
  

Description:

A vulnerability was found in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response of the pppd (Point-to-Point Protocol Daemon).  An unauthenticated remote attacker could exploit the vulnerability by sending specially crafted packets to an affected system.

 

Affected Systems:

  • pppd versions 2.4.2 through 2.4.8

 

Impact:

A successful attack could lead to arbitrary code execution on an affected system.

 

Recommendation:

Some product vendors have fixed or have planned to fix the vulnerability in their Linux/Unix systems as listed below.  The list is not exhaustive and it is recommended to consult the product vendors to confirm the availability of patches.  System administrators should apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.

  • Debian
    https://security-tracker.debian.org/tracker/CVE-2020-8597

  • openSUSE
    https://lists.opensuse.org/opensuse-security-announce/2020-03/msg00006.html

  • Oracle Linux
    https://linux.oracle.com/errata/ELSA-2020-0633.html

  • RedHat
    https://access.redhat.com/errata/RHSA-2020:0630
    https://access.redhat.com/errata/RHSA-2020:0631
    https://access.redhat.com/errata/RHSA-2020:0633
    https://access.redhat.com/errata/RHSA-2020:0634

  • Slackware
    http://www.slackware.com/security/viewer.php?l=slackware-security&y=2020&m=slackware-security.426655

  • SUSE
    https://www.suse.com/security/cve/CVE-2020-8597/

  • Ubuntu
    https://usn.ubuntu.com/4288-1/
    https://usn.ubuntu.com/4288-2/

 

More Information:

https://www.us-cert.gov/ncas/current-activity/2020/03/05/point-point-protocol-daemon-vulnerability
https://www.kb.cert.org/vuls/id/782301/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8597

 



Tag: pppd , Linux , Unix
Tags