PPPD Remote Code Execution Vulnerability “Ghostcat”
Snippet of the vulnerability from the Qualys report.
Title: pppd EAP Processing Buffer Overflow Vulnerability (“Ghostcat”)
Description: pppd (Point to Point Protocol Daemon) is vulnerable to buffer overflow due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines. The vulnerability is in the logic of the eap parsing code. By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution.
CVSS v3 Base Score: 9.8
In our case, the vulnerability was identified on RHEL6 & 7 servers and had to check to verify are our systems really affected and take the relevant mitigation steps in order to remediate the same.
Checked for more details on the Redhat portal for CVE-2020-8597 Red Hat Customer Portal
As per the details from official REDHAT documentation.
A buffer overflow flaw was found in the ppp package in versions 2.4.2 through 2.4.8. The bounds check for the rhostname was improperly constructed in the EAP request and response functions which could allow a buffer overflow to occur. Data confidentiality and integrity, as well as system availability, are all at risk with this vulnerability.
The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc’s stack-protector feature. The “Stack Smashing Protection” may help mitigate code execution attacks for this flaw and limit its impact to crash only.
Affected Platform and Packages
|Red Hat Enterprise Linux 6||ppp|
|Red Hat Enterprise Linux 7||ppp|
|Red Hat Enterprise Linux 8||ppp|
CHECK – for installed ppp package version on server.
Any of the below commands can be used to check for the same. We can see ppp version 2.4.5-5
rpm -q ppp
yum list installed ppp
As per redhat errata RHSA-2020:0631 for RHEL6 for ppp security update.
Package update of version ppp-2.4.5-11.el6_10 should be applied to remediate this vulnerability.
ppp: Buffer overflow in the eap_request and eap_response functions in eap.c (CVE-2020-8597)
Check and update the latest package available, in our case as below:
yum check-update ppp
Update the package as below using YUM.
yum update ppp
Now we have the recommended vendor package version on the system. Qualys scan was performed post updation to confirm for remediation.
NOTE: To remediate for below redhat versions, pls follow relevant redhat errata