PPPD Remote Code Execution Vulnerability “Ghostcat”

Snippet of the vulnerability from the Qualys report.

ID: CVE-2020-8597
Title: pppd EAP Processing Buffer Overflow Vulnerability (“Ghostcat”)
Vendor: Multi-Vendor
Description: pppd (Point to Point Protocol Daemon) is vulnerable to buffer overflow due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines. The vulnerability is in the logic of the eap parsing code. By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution.
CVSS v3 Base Score: 9.8

In our case, the vulnerability was identified on RHEL6 & 7 servers and had to check to verify are our systems really affected and take the relevant mitigation steps in order to remediate the same.

Checked for more details on the Redhat portal for CVE-2020-8597 Red Hat Customer Portal

As per the details from official REDHAT documentation.

A buffer overflow flaw was found in the ppp package in versions 2.4.2 through 2.4.8. The bounds check for the rhostname was improperly constructed in the EAP request and response functions which could allow a buffer overflow to occur. Data confidentiality and integrity, as well as system availability, are all at risk with this vulnerability.

The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc’s stack-protector feature. The “Stack Smashing Protection” may help mitigate code execution attacks for this flaw and limit its impact to crash only.

Affected Platform and Packages

PlatformPackage
Red Hat Enterprise Linux 6ppp
Red Hat Enterprise Linux 7ppp
Red Hat Enterprise Linux 8ppp

CHECK – for installed ppp package version on server.

Any of the below commands can be used to check for the same. We can see ppp version 2.4.5-5

rpm -q ppp
Fig: rpm query for ppp pkg
yum list installed ppp
Fig: List Installed ppp package

MITIGATION Steps

As per redhat errata RHSA-2020:0631 for RHEL6 for ppp security update.

Package update of version ppp-2.4.5-11.el6_10 should be applied to remediate this vulnerability.

Security Fix(es):
ppp: Buffer overflow in the eap_request and eap_response functions in eap.c (CVE-2020-8597)

Check and update the latest package available, in our case as below:

yum check-update ppp
Fig: Check ppp pkg update using YUM

Update the package as below using YUM.

yum update ppp
Fig: Yum update the ppp pkg

Now we have the recommended vendor package version on the system. Qualys scan was performed post updation to confirm for remediation.

NOTE: To remediate for below redhat versions, pls follow relevant redhat errata

Red Hat Enterprise Linux 7 Errate : RHSA-2020:0630
Red Hat Enterprise Linux 8 Errata : RHSA-2020:0633

Leave a Reply

Your email address will not be published.