[OpenWrt-Devel] Security Advisory 2020-02-21-1 - ppp buffer overflow vulnerability (CVE-2020-8597)

Petr Štetiar ynezz at true.cz
Fri Feb 21 11:43:57 EST 2020

Security Advisory 2020-02-21-1 - ppp buffer overflow vulnerability (CVE-2020-8597)


A remotely exploitable vulnerability was found in Point-to-Point Protocol
Daemon (pppd), which has a significant potential impact due to the possibility
of remote code execution prior to authentication.

OpenWrt by default enables the _FORTIFY_SOURCE=1 compiler macro which
introduces additional checks to detect buffer-overflows in the standard
library functions, thus protecting the memcpy() abused in this overflow,
preventing the actual buffer overflow and hence possible remote code execution
by instead terminating the pppd daemon.  Due to those defaults the impact of
the issue was changed to a denial of service vulnerability, which is now also
addressed by this fix.

CVE-2020-8597 has been assigned to this issue, you can find the latest version
of this advisory on our wiki[1].


In order to exploit this vulnerability, a malicious attacker would need to
provide specially crafted EAP Request packet of type EAPT_MD5CHAP to ppp
running in client mode and thus overflowing the rhostname string buffer by
providing a very long hostname.


To fix this issue, update the affected ppp package using the command below.

   `opkg update; opkg upgrade ppp`

The fix is contained in the following and later versions:

 - OpenWrt master: 2020-02-20 reboot-12255-g215598fd0389
 - OpenWrt 19.07:  2020-02-20 v19.07.1-17-g6b7eeb74dbf8
 - OpenWrt 18.06:  2020-02-20 v18.06.7-6-gcc78f934a946


To our knowledge, OpenWrt versions 18.06.0 to 18.06.7 and versions 19.07.0 to
19.07.1 are affected.  The fixed packages will be integrated in the upcoming
OpenWrt 18.06.8 and OpenWrt 19.07.2 releases.  Older versions of OpenWrt (e.g.
OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.


This issue was identified by Ilja Van Sprundel and code fix was implemented by
Paul Mackerras.


1. https://openwrt.org/advisory/2020-02-21-1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200221/e16e4a20/attachment.sig>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list