cbcvebase.
CVE-2020-8597
published 2020-02-03

CVE-2020-8597: eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
19.43%
97.0th percentile
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

Affected

24 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianlwip< lwip 2.1.2+dfsg1-5 (bookworm)lwip 2.1.2+dfsg1-5 (bookworm)
debianppp< lwip 2.1.2+dfsg1-5 (bookworm)lwip 2.1.2+dfsg1-5 (bookworm)
googleandroid
lwip_projectlwip>= 0 < 2.1.2+dfsg1-52.1.2+dfsg1-5
lwip_projectlwip>= 0 < 2.1.2+dfsg1-52.1.2+dfsg1-5
lwip_projectlwip>= 0 < 2.1.2+dfsg1-52.1.2+dfsg1-5
lwip_projectlwip>= 0 < 2.1.2+dfsg1-52.1.2+dfsg1-5
msrcazl3_ppp_2.4.7-36_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
point-to-point_protocol_projectpoint-to-point_protocol2.4.2 – 2.4.8
sambappp>= 0 < 2.4.8-1+12.4.8-1+1
sambappp>= 0 < 2.4.8-1+12.4.8-1+1
sambappp>= 0 < 2.4.8-1+12.4.8-1+1
sambappp>= 0 < 2.4.8-1+12.4.8-1+1
ubuntulwip
wagopfc_firmware< 03.04.10\(16\)03.04.10\(16\)

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via a specially crafted EAP packet sent to a vulnerable PPP client or server; detect anomalous EAP packets targeting pppd processes, especially those with oversized or malformed rhostname fields.
  • Focus detection on the eap_request and eap_response functions in eap.c; the overflow occurs when an EAPT_MD5CHAP (type 4) packet passes a flawed bounds check and copies an arbitrary-length hostname into a local stack buffer.
  • A secondary attack vector exists via eap_input: an attacker can send an EAP packet even if EAP was never negotiated during the LCP phase, bypassing authentication state checks and triggering the stack buffer overflow without prior negotiation.
  • Affected file is eap.c in pppd versions 2.4.2 through 2.4.8; presence of unpatched pppd in this version range on a system indicates exploitability.
  • pppd typically runs with high privileges (system or root); monitor for unexpected child processes or privilege escalation events spawned from pppd.
  • Android versions 8.0, 8.1, 9, and 10 are affected with a CRITICAL RCE rating; flag unpatched Android devices on these versions as vulnerable.
  • ·The vulnerability only requires the attacker to send a crafted EAP packet; no prior authentication or EAP negotiation during LCP is required, making the attack surface broader than typical PPP deployments might suggest.
  • ·At time of publication no working public PoC existed, but multiple GitHub repositories were noted as works-in-progress with stated intent to release within weeks; treat as imminent.
  • ·The vulnerability has existed for 17 years (introduced in ppp 2.4.2), meaning a very wide range of legacy and embedded systems may be affected beyond the listed Linux distributions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.