Researchers at the CERT Coordination Center (CERT/CC) have released details on a critical Point-to-Point Protocol Daemon (pppd) vulnerability CVE-2020-8597.
The critical vulnerability impacts pppd versions 2.4.2 through 2.4.8.
PPP is the data link layer communications protocol used for transporting IP traffic across point-to-point links. Examples of common implementations include DSL connections and Virtual Private Networks (VPN) implementing SSL encryption.
To add, pppd is a daemon that runs on Unix-like operating systems and manages PPP session establishment and termination between two hosts.
According to CERT, the critical vulnerability CVE-2020-8597 is caused by a buffer overflow condition.
“Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system,” CERT stated in the security advisory.
“This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code.”
Multiple vendors have confirmed they have products affected or have patches available as of March 6:
Finally, many other vendors have confirmed they do not have any products affected or have not released any updates as of this writing.
We will update the vendor list as more information is released.