Page MenuHomeVyOS Platform

RCE in pppd and ppp client
Closed, ResolvedPublic

Description

hi,

sorry for the link in german:

https://blog.fefe.de/?ts=a0b08d9a

It seems that there is an RCE in server and client code:

https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426

"So it affects the server and client. Both eap_request() and eap_response() are vulnerable (and have the exact same bug). Further more, there is no check to see if you’ve actually configured eap and are using eap prior to hitting the parser. So even if it’s not configured, you’re still vulnerable. Oh, and it’s pre-auth."

There is no ppp release with this fix. It is only in current git. I also have not seen any CVE.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)