Debian, Ubuntu, SUSE Linux, Fedora, NetBSD, Red Hat Enterprise Linux, Cisco and TP-LINK affected by critical bug; secure your servers ASAP

A security alert, issued by instructors in the US-CERT hacking course, has been revealed, related to a dangerous remote execution flaw that has been present for nearly 18 years in PPP daemon software (PPPD), which is installed in almost every Linux-based operating system.

This software is an implementation of the Point-to-Point Protocol (PPP), which allows the communication and transfer of data between nodes, mainly used in the establishment of Internet links such as those used by broadband DLS connections and Virtual Private Network (VPN) services.  

The flaw was discovered by instructors from the IOActive firm’s hacking course; According to their report, this is a critical buffer overflow vulnerability that exists due to a logical error in the PPPD Extensible Authentication Protocol (EAP) packet parser. Tracked as CVE-2020-8597, the flaw received a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale, and can be exploited by an unauthenticated hacker to execute arbitrary code remotely on the target system.

To complete the attack, threat actors only require sending a malicious EAP packet to the vulnerable PPP client or server, via a direct link on ISDN Ethernet, SOcket, CAT, PPTP, GPRS, or ATM networks. Because PPPD runs with high privileges, attackers could execute malicious code with system privileges.

Hacking course specialists add that the flaw occurs when validating the size of an entry before copying the data entered into memory. Because validation is incorrect, arbitrary data can be copied to memory and lead to unwanted code execution.

Regarding vulnerable versions, the report mentions that any version of PPPD software released during the last 17 years is exposed to exploiting the remote code execution failure.

According to the International Institute of Cyber Security (IICS), affectations have already been reported in some of the most popular Linux distributions, such as:

  • Debian
  • Ubuntu
  • SUSE Linux
  • Fedora
  • NetBSD
  • Red Hat Enterprise Linux

It should be noted that there has been no evidence of concept for the exploitation of this vulnerability, although the possibility of exploitation in real-world scenarios has not been ruled out.