- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-14-2020 11:16 PM - edited 03-14-2020 11:47 PM
We have received a Critical Security Advisory related to Buffer Overflow Vulnerability in Point-to-Point Protocol Daemon (pppd).
is applicable to our PaloAlto and Panorama Firewall devices.?
Risk Advisory No CVE-2020-8597
Advisory Name Buffer Overflow Vulnerability in Point-to-Point Protocol Daemon (pppd)
Severity Critical
Action Required Immediate
Summary CVE-2020-8597
CVE A new buffer overflow vulnerability has been discovered in pppd (Point to Point Protocol Daemon) versions 2.4.2 through 2.4.8. An unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. System administrators are encouraged to update pppd software with the latest available patches in order to prevent vulnerability exploitation.
Affected Products Buffer Overflow Vulnerability in Point-to-Point Protocol Daemon (pppd) versions 2.4.2 through 2.4.8 are vulnerable
to CVE-2020-8597. This package is included in software products from different vendors. Please find below the list of confirmed affected vendors:
• Cisco
• Debian GNU/Linux
• Fedora Project
• NetBSD
• OpenWRT
• Red Hat
• Sierra Wireless
• SUSE Linux
• Synology
• TP-LINK
• Ubuntu
Recommendations It is recommended to update the pppd package with the latest available patches provided by each vendor. An authenticated attacker may still be able to exploit the vulnerability even if EAP is not enabled by sending unsolicited EAP packets to trigger
the buffer overflow. If the package has been compiled from source, the latest software can be obtained
from the pppd repository in Github:
• https://github.com/paulusmack/ppp
• https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f33
77fe6787575426
For those using the lwIP (lightweight IP) package compiled from source with EAP
enabled at compile time, the latest version is also available on Github:
• http://git.savannah.nongnu.org/cgit/lwip.git
• http://git.savannah.nongnu.org/cgit/lwip.git/commit/?
id=2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86
Regards,
03-18-2020 04:17 PM
With the release of PAN-OS 9.0.1 Palo Alto Networks has a new Security Advisory site. Please see https://securityadvisories.paloaltonetworks.com for details.
It does not appear that Palo Alto Networks devices are vulnerable to this specific advisory.
I searched that site and did not find it.
I would recommend that you search that site for all CVE's or visit:
https://live.paloaltonetworks.com/t5/PSIRT-Articles/tkb-p/PSIRT_Articles
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!