A security alert, issued by instructors in the US-CERT hacking course, has been revealed, related to a dangerous remote execution flaw that has been present for nearly 18 years in PPP daemon software (PPPD), which is installed in almost every Linux-based operating system.
This software is an implementation of the Point-to-Point
Protocol (PPP), which allows the communication and transfer of data
between nodes, mainly used in the establishment of Internet links such as those
used by broadband DLS connections and Virtual Private Network (VPN)
The flaw was discovered by instructors from the IOActive firm’s hacking course; According to their report, this is a critical buffer overflow vulnerability that exists due to a logical error in the PPPD Extensible Authentication Protocol (EAP) packet parser. Tracked as CVE-2020-8597, the flaw received a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale, and can be exploited by an unauthenticated hacker to execute arbitrary code remotely on the target system.
To complete the attack, threat actors only
require sending a malicious EAP packet to the vulnerable PPP client or server,
via a direct link on ISDN Ethernet, SOcket, CAT, PPTP, GPRS, or ATM networks.
Because PPPD runs with high privileges, attackers could execute malicious code
with system privileges.
Hacking course specialists add that the flaw
occurs when validating the size of an entry before copying the data entered
into memory. Because validation is incorrect, arbitrary data can be copied to
memory and lead to unwanted code execution.
Regarding vulnerable versions, the report
mentions that any version of PPPD software released during the last 17 years is
exposed to exploiting the remote code execution failure.
According to the International Institute of Cyber
Security (IICS), affectations have already been reported in some of the
most popular Linux distributions, such as:
- SUSE Linux
Hat Enterprise Linux
It should be noted that there has been no
evidence of concept for the exploitation of this vulnerability, although the
possibility of exploitation in real-world scenarios has not been ruled