Several Linux-based operating systems are affected by a 17-year old remote code execution (RCE) flaw which affects Point-to-Point Protocol daemon (pppd) software. Pppd software not only comes pre-installed in most of the Linux systems but also powers the firmware of popular networking devices.
Point-to-point protocol daemon is used to manage network connections between two nodes, mostly broadband connections when PPPoE or PPPoA protocols are used over DSL broadband connections or VPNs.
The RCE flaw has been discovered by Ija Van Sprundel, an IOActive security researcher. The critical flaw may be a stack buffer overflow vulnerability that arises because of a logical error within the Extensible Authentication Protocol (EAP) packet parser of the daemon software.
According to an advisory issued by US-CERT, the vulnerability has been tagged as CVE-2020-8597 and has the CVSS score of 9.8 indicating the severity.
A hacker can exploit the flaw and execute arbitrary code on an affected system remotely thus taking up the complete control of the system. The flaw is often exploited by sending a crooked EAP packer to the target pppd client or server.
What makes the vulnerability highly severe is that the proven fact that point-to-point protocol daemon often has high privileges. Thus, if a hacker takes control over a server by exploiting the flaw, he could gain access to root-level privileges.
As per Mr. Sprundel, the flaw persists through pppd versions 2.4.2 through 2.4.8 or all the versions released within the last 17 years. He has confirmed that the subsequent Linux distributions are suffering from the pppd flaw:
Additionally, the subsequent devices also ship the affected versions of pppd and are susceptible to attack:
We advise our readers to update their systems as soon because the patch is out there to evade a possible attack.