CVE-2020-8597
Description
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
29- ppp/pppdescription
- osv-coords28 versionspkg:rpm/almalinux/ppppkg:rpm/almalinux/ppp-develpkg:rpm/opensuse/ppp&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ppp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ppp&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ppp&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ppp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ppp&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ppp&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ppp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 2.4.7-26.el8_1+ 27 more
- (no CPE)range: < 2.4.7-26.el8_1
- (no CPE)range: < 2.4.7-26.el8_1
- (no CPE)range: < 2.4.7-lp151.5.3.1
- (no CPE)range: < 2.4.8-3.6
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-5.3.1
- (no CPE)range: < 2.4.7-5.3.1
- (no CPE)range: < 2.4.5.git-2.32.3.1
- (no CPE)range: < 2.4.5.git-2.32.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
- (no CPE)range: < 2.4.7-4.3.1
Patches
Vulnerability mechanics
Root cause
"Missing bounds checking on the rhostname buffer in eap_request and eap_response allows a stack buffer overflow when processing unsolicited EAP packets."
Attack vector
An unauthenticated remote attacker sends an unsolicited EAP packet to a vulnerable ppp client or server [ref_id=1]. The pppd code in `eap_input` processes the packet even if ppp refused the authentication negotiation due to lack of EAP support or a mismatched pre-shared passphrase [ref_id=1]. This unverified data with an unknown size triggers a stack buffer overflow in the `rhostname` buffer within `eap_request` and `eap_response` [ref_id=1]. The pppd process often runs with system or root privileges, making arbitrary code execution possible [ref_id=1].
Affected code
The vulnerability resides in the `eap_request` and `eap_response` functions within `eap.c` of pppd, affecting ppp versions 2.4.2 through 2.4.8. The `rhostname` buffer is overflowed when processing EAP packets without proper bounds checking [ref_id=1].
What the fix does
The advisory recommends applying the latest patches from the software vendor [ref_id=1]. The fix is available in the ppp Git repository at commit 8d45443bb5c9372b4c6a362ba2f443d41c5636af, and for lwIP at commit 2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86 [ref_id=1]. No workaround exists other than patching [ref_id=1].
Preconditions
- networkThe attacker must be able to send network packets to a vulnerable ppp client or server
- authNo authentication or prior EAP negotiation is required; the vulnerable code processes unsolicited EAP packets even when EAP was not negotiated
- configThe target must be running pppd version 2.4.2 through 2.4.8, or lwIP configured with EAP enabled at compile time
- inputThe attacker sends a crafted EAP packet with an oversized rhostname field
Reproduction
A proof-of-concept for testing PPTP server vulnerability is available in the CERT/CC PoC repository at https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-8597-pptpd [ref_id=1]. A Snort/Suricata IDS rule to detect exploitation attempts is also provided in that repository [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- lists.opensuse.org/opensuse-security-announce/2020-03/msg00006.htmlmitrevendor-advisoryx_refsource_SUSE
- access.redhat.com/errata/RHSA-2020:0630mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2020:0631mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2020:0633mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2020:0634mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNJNHWOO4XF73M2W56ILZUY4JQG3JXIR/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOFDAIOWSWPG732ASYUZNINMXDHY4APE/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202003-19mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4288-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4288-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4632mitrevendor-advisoryx_refsource_DEBIAN
- www.kb.cert.org/vuls/id/782301mitrethird-party-advisoryx_refsource_CERT-VN
- packetstormsecurity.com/files/156662/pppd-2.4.8-Buffer-Overflow.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/156802/pppd-2.4.8-Buffer-Overflow.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/Mar/6mitremailing-listx_refsource_FULLDISC
- cert-portal.siemens.com/productcert/pdf/ssa-809841.pdfmitrex_refsource_MISC
- github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426mitrex_refsource_MISC
- kb.netgear.com/000061806/Security-Advisory-for-Unauthenticated-Remote-Buffer-Overflow-Attack-in-PPPD-on-WAC510-PSV-2020-0136mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2020/02/msg00005.htmlmitremailing-listx_refsource_MLIST
- security.netapp.com/advisory/ntap-20200313-0004/mitrex_refsource_CONFIRM
- us-cert.cisa.gov/ics/advisories/icsa-20-224-04mitrex_refsource_MISC
- www.synology.com/security/advisory/Synology_SA_20_02mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.