A vulnerability in the pppd package was just disclosed to the public (CVE-2020-8597) which seriously affects some VPN services, DSL connections and also Ethernet as the bug found allowed to execute code sending specially designed authentication requests to systems that use PPP (Point-to-Point Protocol) or PPPoE (PPP over Ethernet).
And it is that as we mentioned, various providers often use these protocols to establish connections via Ethernet or DSL and are also used in some VPNs eg pptpd and openfortivpn.
To test the susceptibility of systems to the problem, an exploit prototype was prepared, which already it is available to the general public.
About the ruling
The vulnerability is caused by buffer overflow in the Extensible Authentication Protocol (EAP) implementation.
An additional logic flaw causes the eap_input () function to not check if EAP has been negotiated during the Line Control Protocol (LCP) phase.
This allows an unauthenticated attacker to send an EAP packet even if ppp rejected the authentication negotiation due to lack of EAP support or due to a mismatch of a pre-shared passphrase agreed to in the LCP phase.
The vulnerable pppd code in eap_input will continue to process the EAP packet and trigger the stack buffer overflow.
This unverified data with an unknown size can be used to corrupt the memory of the target system. The pppd often runs with high privileges (system or root) and works in conjunction with the kernel drivers. This makes it possible for an attacker to potentially run arbitrary code with root or system level privileges.
With that, an attack can be performed in the stage before authentication Pass by sending a packet with type EAPT_MD5CHAP, including a very long hostname that does not fit in the allocated buffer.
Due to a bug in the code to check the size of the rhostname field, the attacker can overwrite data outside the buffer on the stack and achieve remote execution of your code with root privileges.
The vulnerability manifests itself on the server and client side, that is, not only the server can be attacked, but also the client that tries to connect to the server controlled by the attacker (for example, an attacker can hack the server through the vulnerability first and then start attacking the clients that are connect).
Vulnerability also affects the lwIP stack, but EAP support is not enabled in the default settings in lwIP.
Affected versions and solution
As such this detected fault affects pppd versions 2.4.2 to 2.4.8 inclusive and is solved in the form of a patch. Some of you may know that bug disclosure to the general public takes place long after discovery and after problem has been resolved. And, although this takes a whole process, there is still the part of the user which must perform the corresponding update.
The problem solving status can be reviewed inside the reports of the main Linux distributions.
This can be seen in these the pages: Debian, Ubuntu, RHEL, fedora, SUSE, OpenWRT, Arch, NetBSD.
In RHEL, OpenWRT and SUSE, the pppd package is compiled with the inclusion of "Stack Smashing Protection" ("-fstack-protector»In gcc), which limits the lock operation.
In addition to distributions, the vulnerability is also confirmed in some Cisco (CallManager), TP-LINK and Synology products (DiskStation Manager, VisualStation VS960HD, and Router Manager) using pppd or lwIP code.
As such the patch is already available within the repositories of most Linux distributions and some have already implemented it by offering the package update.
If you want to know more about it about the fault found, you can check the details and more information In the following link.