CVE-2020-8597
published 2020-02-03CVE-2020-8597: eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
19.43%
97.0th percentile
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | lwip | < lwip 2.1.2+dfsg1-5 (bookworm) | lwip 2.1.2+dfsg1-5 (bookworm) |
| debian | ppp | < lwip 2.1.2+dfsg1-5 (bookworm) | lwip 2.1.2+dfsg1-5 (bookworm) |
| android | — | — | |
| lwip_project | lwip | >= 0 < 2.1.2+dfsg1-5 | 2.1.2+dfsg1-5 |
| lwip_project | lwip | >= 0 < 2.1.2+dfsg1-5 | 2.1.2+dfsg1-5 |
| lwip_project | lwip | >= 0 < 2.1.2+dfsg1-5 | 2.1.2+dfsg1-5 |
| lwip_project | lwip | >= 0 < 2.1.2+dfsg1-5 | 2.1.2+dfsg1-5 |
| msrc | azl3_ppp_2.4.7-36_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| point-to-point_protocol_project | point-to-point_protocol | 2.4.2 – 2.4.8 | — |
| samba | ppp | >= 0 < 2.4.8-1+1 | 2.4.8-1+1 |
| samba | ppp | >= 0 < 2.4.8-1+1 | 2.4.8-1+1 |
| samba | ppp | >= 0 < 2.4.8-1+1 | 2.4.8-1+1 |
| samba | ppp | >= 0 < 2.4.8-1+1 | 2.4.8-1+1 |
| ubuntu | lwip | — | — |
| wago | pfc_firmware | < 03.04.10\(16\) | 03.04.10\(16\) |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via a specially crafted EAP packet sent to a vulnerable PPP client or server; detect anomalous EAP packets targeting pppd processes, especially those with oversized or malformed rhostname fields. ↗
- →Focus detection on the eap_request and eap_response functions in eap.c; the overflow occurs when an EAPT_MD5CHAP (type 4) packet passes a flawed bounds check and copies an arbitrary-length hostname into a local stack buffer. ↗
- →A secondary attack vector exists via eap_input: an attacker can send an EAP packet even if EAP was never negotiated during the LCP phase, bypassing authentication state checks and triggering the stack buffer overflow without prior negotiation. ↗
- →Affected file is eap.c in pppd versions 2.4.2 through 2.4.8; presence of unpatched pppd in this version range on a system indicates exploitability. ↗
- →pppd typically runs with high privileges (system or root); monitor for unexpected child processes or privilege escalation events spawned from pppd. ↗
- →Android versions 8.0, 8.1, 9, and 10 are affected with a CRITICAL RCE rating; flag unpatched Android devices on these versions as vulnerable. ↗
- ·The vulnerability only requires the attacker to send a crafted EAP packet; no prior authentication or EAP negotiation during LCP is required, making the attack surface broader than typical PPP deployments might suggest. ↗
- ·At time of publication no working public PoC existed, but multiple GitHub repositories were noted as works-in-progress with stated intent to release within weeks; treat as imminent. ↗
- ·The vulnerability has existed for 17 years (introduced in ppp 2.4.2), meaning a very wide range of legacy and embedded systems may be affected beyond the listed Linux distributions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gw8r-xfqw-vw42: eap
ghsa_unreviewed·2022-05-24
CVE-2020-8597 [HIGH] CWE-120 GHSA-gw8r-xfqw-vw42: eap
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
OSV
CVE-2020-8597: eap
osv·2020-02-03·CVSS 9.8
CVE-2020-8597 [CRITICAL] CVE-2020-8597: eap
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
Ubuntu
lwIP vulnerabilities
vendor_ubuntu·2026-06-11·CVSS 7.5
CVE-2026-8836 [HIGH] lwIP vulnerabilities
Title: lwIP vulnerabilities
Summary: Several security issues were fixed in lwIP.
It was discovered that lwIP contained a buffer overflow in the EAP
authentication handling code. An attacker could possibly use this issue
to trigger a buffer overflow, resulting in arbitrary code execution or a
denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2020-8597)
It was discovered that lwIP incorrectly handled certain ICMPv6 or
6LoWPAN packets. An attacker could possibly use this issue to trigger a
buffer overflow, resulting in information disclosure. This issue only
affected Ubuntu 20.04 LTS. (CVE-2020-22283, CVE-2020-22284)
It was discovered that lwIP did not properly validate certain SNMPv3
authentication parameters. An attacker could possibly use this issue to
trigger a stack-
CISA ICS
Siemens SCALANCE, RUGGEDCOM
cisa_ics·2020-08-11·CVSS 9.8
[CRITICAL] Siemens SCALANCE, RUGGEDCOM
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE, RUGGEDCOM
Last RevisedAugust 11, 2020
Alert CodeICSA-20-224-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Siemens
- Equipment: SCALANCE, RUGGEDCOM
- Vulnerability: Classic Buffer Overflow
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain unauthenticated access to a device and cause a buffer overflow to execute custom code.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
- RUGGEDCOM RM1224: Al
Android
CVE-2020-8597: Android Security Bulletin 2020-06-01
CVE: CVE-2020-8597
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 8
vendor_android·2020-06-01·CVSS 9.8
CVE-2020-8597 [CRITICAL] CVE-2020-8597: Android Security Bulletin 2020-06-01
CVE: CVE-2020-8597
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 8
Android Security Bulletin 2020-06-01
CVE: CVE-2020-8597
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 8.0, 8.1, 9, 10
References: A-151153886
Ubuntu
ppp vulnerability
vendor_ubuntu·2020-03-02
CVE-2020-8597 ppp vulnerability
Title: ppp vulnerability
Summary: ppp could be made to crash or run programs if it received specially crafted network traffic.
USN-4288-1 fixed a vulnerability in ppp. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that ppp incorrectly handled certain rhostname values. A
remote attacker could use this issue to cause ppp to crash, resulting in a
denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
ppp vulnerability
vendor_ubuntu·2020-02-20
CVE-2020-8597 ppp vulnerability
Title: ppp vulnerability
Summary: ppp could be made to crash or run programs if it received specially crafted
network traffic.
It was discovered that ppp incorrectly handled certain rhostname values. A
remote attacker could use this issue to cause ppp to crash, resulting in a
denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
vendor_msrc·2020-02-11·CVSS 9.8
CVE-2020-8597 [CRITICAL] CWE-120 eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required:
Red Hat
ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
vendor_redhat·2020-02-03·CVSS 9.8
CVE-2020-8597 [CRITICAL] CWE-120 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
A buffer overflow flaw was found in the ppp package in versions 2.4.2 through 2.4.8. The bounds check for the rhostname was improperly constructed in the EAP request and response functions which could allow a buffer overflow to occur. Data confidentiality and integrity, as well as system availability, are all at risk with this vulnerability.
Statement: The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The "Stack Smashing Protection" may help mitigate code execution attacks for this flaw and limit its impact to crash only.
Mit
Debian
CVE-2020-8597: lwip - eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the...
vendor_debian·2020·CVSS 9.8
CVE-2020-8597 [CRITICAL] CVE-2020-8597: lwip - eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the...
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
Scope: local
bookworm: resolved (fixed in 2.1.2+dfsg1-5)
bullseye: resolved (fixed in 2.1.2+dfsg1-5)
forky: resolved (fixed in 2.1.2+dfsg1-5)
sid: resolved (fixed in 2.1.2+dfsg1-5)
trixie: resolved (fixed in 2.1.2+dfsg1-5)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-8597 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
bugzilla·2020-09-08·CVSS 6.5
CVE-2019-8597 [MEDIUM] CVE-2019-8597 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
CVE-2019-8597 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
WebKitGTK Security Advisory WSA-2019-0003 describes the following issue:
CVE-2019-8597
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Discussion:
External References:
https://webkitgtk.org/security/WSA-2019-0003.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:4035 https://access.redhat.com/errata/RHSA-2020:4035
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/c
Bugzilla
CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c [fedora-all]
bugzilla·2020-02-07·CVSS 9.8
CVE-2020-8597 [CRITICAL] CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c [fedora-all]
CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mu
Bugzilla
CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
bugzilla·2020-02-07·CVSS 9.8
CVE-2020-8597 [CRITICAL] CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
Upstream patch:
https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426
Discussion:
Created ppp tracking bugs for this issue:
Affects: fedora-all [bug 1800734]
---
Statement:
The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The "Stack Smashing Protection" may help mitigate code execution attacks for this flaw and limit its impact to crash only.
---
What's the impact to set in the errata field?
---
(In reply to Jaroslav Škarvada from comment #8)
> What's the impact to set in th
Tenable
How COVID-19 Response Is Expanding the Cyberattack Surface
blogs_tenable·2020-03-30
How COVID-19 Response Is Expanding the Cyberattack Surface
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
9th March – Threat Intelligence Bulletin
blogs_checkpoint·2020-03-09
CVE-2020-8597 9th March – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th March – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 9th March 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Global fear of the Corona virus epidemic continues to be exploited for malicious cyber operations. Check Point Research reports of thousands of newly registered coronavirus related domains, which are 50% more likely malicious than other domains. CPR also informed of a Trickbot campaign using a fake health warning documen
Tenable
CVE-2020-8597: Buffer Overflow Vulnerability in Point-to-Point Protocol Daemon (pppd)
blogs_tenable·2020-03-06·CVSS 9.8
[CRITICAL] CVE-2020-8597: Buffer Overflow Vulnerability in Point-to-Point Protocol Daemon (pppd)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00006.htmlhttp://packetstormsecurity.com/files/156662/pppd-2.4.8-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/156802/pppd-2.4.8-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2020/Mar/6https://access.redhat.com/errata/RHSA-2020:0630https://access.redhat.com/errata/RHSA-2020:0631https://access.redhat.com/errata/RHSA-2020:0633https://access.redhat.com/errata/RHSA-2020:0634https://cert-portal.siemens.com/productcert/pdf/ssa-809841.pdfhttps://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426https://kb.netgear.com/000061806/Security-Advisory-for-Unauthenticated-Remote-Buffer-Overflow-Attack-in-PPPD-on-WAC510-PSV-2020-0136https://lists.debian.org/debian-lts-announce/2020/02/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNJNHWOO4XF73M2W56ILZUY4JQG3JXIR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOFDAIOWSWPG732ASYUZNINMXDHY4APE/https://security.gentoo.org/glsa/202003-19https://security.netapp.com/advisory/ntap-20200313-0004/https://us-cert.cisa.gov/ics/advisories/icsa-20-224-04https://usn.ubuntu.com/4288-1/https://usn.ubuntu.com/4288-2/https://www.debian.org/security/2020/dsa-4632https://www.kb.cert.org/vuls/id/782301https://www.synology.com/security/advisory/Synology_SA_20_02http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00006.htmlhttp://packetstormsecurity.com/files/156662/pppd-2.4.8-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/156802/pppd-2.4.8-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2020/Mar/6https://access.redhat.com/errata/RHSA-2020:0630https://access.redhat.com/errata/RHSA-2020:0631https://access.redhat.com/errata/RHSA-2020:0633https://access.redhat.com/errata/RHSA-2020:0634https://cert-portal.siemens.com/productcert/pdf/ssa-809841.pdfhttps://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426https://kb.netgear.com/000061806/Security-Advisory-for-Unauthenticated-Remote-Buffer-Overflow-Attack-in-PPPD-on-WAC510-PSV-2020-0136https://lists.debian.org/debian-lts-announce/2020/02/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNJNHWOO4XF73M2W56ILZUY4JQG3JXIR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOFDAIOWSWPG732ASYUZNINMXDHY4APE/https://security.gentoo.org/glsa/202003-19https://security.netapp.com/advisory/ntap-20200313-0004/https://us-cert.cisa.gov/ics/advisories/icsa-20-224-04https://usn.ubuntu.com/4288-1/https://usn.ubuntu.com/4288-2/https://www.debian.org/security/2020/dsa-4632https://www.kb.cert.org/vuls/id/782301https://www.synology.com/security/advisory/Synology_SA_20_02
2020-02-03
Published