First published: Mon Feb 03 2020(Updated: )
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/ppp | <=2.4.7-2+4.1<=2.4.7-1+4 | 2.4.8-1+1~exp1 2.4.7-2+4.1+deb10u1 2.4.7-1+4+deb9u1 |
Point-to-point Protocol Project Point-to-point Protocol | >=2.4.2<=2.4.8 | |
Wago Pfc Firmware | <03.04.10\(16\) | |
WAGO PFC100 | ||
WAGO PFC200 | ||
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
All of | ||
Wago Pfc Firmware | <03.04.10\(16\) | |
Any of | ||
WAGO PFC100 | ||
WAGO PFC200 | ||
Google Android | ||
Siemens RUGGEDCOM RM1224 | <6.3 | 6.3 |
Siemens SCALANCE M-800 / S615 | <6.3 | 6.3 |
ubuntu/ppp | <2.4.7-2+2ubuntu1.2 | 2.4.7-2+2ubuntu1.2 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu4.1 | 2.4.7-2+4.1ubuntu4.1 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.7-2+4.1ubuntu5 | 2.4.7-2+4.1ubuntu5 |
ubuntu/ppp | <2.4.5-5.1ubuntu2.3+ | 2.4.5-5.1ubuntu2.3+ |
ubuntu/ppp | <2.4.7-1+2ubuntu1.16.04.2 | 2.4.7-1+2ubuntu1.16.04.2 |
debian/lwip | 2.1.2+dfsg1-8+deb11u1 2.1.3+dfsg1-2 2.2.0+dfsg1-7 | |
debian/ppp | 2.4.9-1+1 2.4.9-1+1.1 2.5.0-1+2 |
http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-8597.
The severity of CVE-2020-8597 is critical with a severity value of 9.8.
The affected software includes ppp versions 2.4.2 through 2.4.8 on Debian and Ubuntu systems, lwip on Debian systems, and Android devices.
To fix the vulnerability in pppd, update to version 2.4.9-1+1 or later on Debian systems, and follow the recommended updates for Ubuntu and Android devices.
You can find more information about CVE-2020-8597 at the following references: [Link 1](https://android.googlesource.com/platform/external/ppp/+/f9fec5c36952301e585a420f31e96d35a60d0498), [Link 2](https://source.android.com/docs/security/bulletin/2020-06-01), [Link 3](https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426).