A10 Networks Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

ACCESS Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Actiontec Not Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

We are using an older version of pppd that does not use EAP and does not have this vulnerability.

CERT Addendum

There are no additional comments at this time.

ADTRAN Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Alcatel-Lucent Enterprise Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Alpine Linux Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Amazon Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

Visit ALAS post https://alas.aws.amazon.com/AL2/ALAS-2020-1400.html for details of this vulnerability

References

CERT Addendum

Amazon Linux has adopted RedHat advisory and published their own updates. Please see Vendor URL section for details.

Apple Not Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

Apple has a forked version of ppp that was modified years earlier. It shows not affected due to the source code changes.

Arch Linux Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

ArchLinux has updated its advisory on March 7 2020,with ASA-202003-3 advisory with resolution statement"Upgrade to 2.4.7-7. #pacman -Syu"ppp>=2.4.7-7"The problem has been fixed upstream but no release is available yet."

Arista Networks Inc. Not Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

Arista products do not have any features using pppd,hence no Arista products are affected.

CERT Addendum

There are no additional comments at this time.

ARRIS Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Aspera Inc. Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

ASUSTeK Computer Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

AT&T Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Avaya Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

AVM GmbH Not Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

FRITZ!Box and other AVM products are not affected. AVM does not use the ppp implementation from the pppd project.

CERT Addendum

There are no additional comments at this time.

Belkin Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Brocade Communication Systems Not Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

No other Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities

CERT Addendum

There are no additional comments at this time.

Buffalo Technology Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

CentOS Affected

Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

2020-02-25 - Jaroslav Skarvadajskarvad@redhat.com- 2.4.5-34 - Fixed buffer overflow in the eap_request and eap_response functions Resolves:CVE-2020-8597 Centos 8: Update provided follow the Vendor URL for your architecture Centos 7: Update provided follow the Vendor URL for your version and architecture Centos 6: End of Life no updates available

Check Point Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

See Checkpoint security advisory sk165875 link in Vendor URL section.

References

CERT Addendum

There are no additional comments at this time.

Cisco Unknown

Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

Cisco is investigating this issue and has assigned a bug ID CSCvs95534.

Comcast Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

CoreOS Not Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

CoreOS Container Linux does not ship pppd.

CERT Addendum

There are no additional comments at this time.

Cradlepoint Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

dd-wrt Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Debian GNU/Linux Affected

Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

Package:ppp Version:2.4.6-3.1+deb8u1 CVE ID:CVE-2020-8597 Debian Bug:950618 Ilja Van Sprundel discovered a buffer overflow vulnerability in ppp,the Point-to-Point Protocol daemon. When receiving an EAP Request message in client mode,an attacker was able to overflow the rhostname array by providing a very long name. This issue is also mitigated by Debian's hardening build flags. For Debian 8"Jessie",this problem has been fixed in version 2.4.6-3.1+deb8u1. We recommend that you upgrade your ppp packages. Further information about Debian LTS security advisories,how to apply these updates to your system and frequently asked questions can be

References

CERT Addendum

Vendor bug report can be found in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950618

Dell EMC Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

DesktopBSD Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Deutsche Telekom Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

D-Link Systems Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

DragonFly BSD Project Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

DrayTek Corporation Not Affected

Notified:  2020-02-13 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

Thank you for your request for Technical Support. EAP isn't supported on 3900/2960/300B PPTP,so these should not be affected. The rest of the models are running in non-linux platform,the PPTP service isn't using pppd either.

References

CERT Addendum

Updated information from Draytek March 6,2020 Draytek DSL models are running in our in-house OS,they won't be affected by this vulnerability. Draytek also plans to add protection in the next firmware release to enhance the security for Vigor3900/2960,although EAP is not enabled or supported. Please check advisory URL mentioned below for updates.

eero Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Extreme Networks Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

F5 Networks Inc. Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Fedora Project Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

Fedora Project has put out new software updates to address this issue on Fri,21 Feb 2020 16:44:33 UTC,please use the vendor's URL's to find the suitable update for your version of Fedora and your platform.

Fortinet Not Affected

Notified:  2020-02-13 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

Fortinet FortiOS are not impacted by this vulnerability

CERT Addendum

There are no additional comments at this time.

FreeBSD Project Not Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

FreeBSD does not distribute pppd.

CERT Addendum

A review of the pppd source tree suggests that FreeBSD do not include pppd in the base system(removed in r190751 - ten years ago). The first pppd version that contained the vulnerability was 2.4.2,and FreeBSD has never shipped with that version.

F-Secure Corporation Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Geexbox Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Gentoo Linux Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Google Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

Please see Google's advisory that was recently published to acknowledge this issue.

HardenedBSD Not Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

HardenedBSD does not ship with this software in the base operating system.

CERT Addendum

There are no additional comments at this time.

Hewlett Packard Enterprise Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Hitachi Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

HP Inc. Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Huawei Technologies Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

IBM Corporation Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Illumos Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Intel Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Joyent Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Juniper Networks Not Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

Juniper is not impacted by this vulnerability

CERT Addendum

There are no additional comments at this time.

LANCOM Systems GmbH Not Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

LANCOM Systems products are not vulnerable to these vulnerabilities.

CERT Addendum

There are no additional comments at this time.

Lenovo Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Linksys Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

lwIP Not Affected

Notified:  2020-02-05 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

lwIP is a bit different than pppd,we added a lot of preprocessor directives to enable or disable features at compile time in order to reduce binary size output and EAP is disabled by default: http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/include/netif/ppp/ppp_opts.h?id=d281d3e9592a3ca2ad0c3b7840f8036facc02f7b#n234 http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/netif/ppp/eap.c?id=d2 81d3e9592a3ca2ad0c3b7840f8036facc02f7b#n46 That is,no product using lwIP were ever shipped with the EAP code compiled at all.

References

CERT Addendum

EAP was never used by any lwIP user. The lwIP PPP support is mostly used with cellular modems only as a framing protocol limited to the serial link between the MCU and the modem were security is less relevant because it is not authenticated anyway. The lwIP so far has had support for PAP,CHAP,MS-CHAP(tied to MPPE keys exchange),but EAP has never been enabled from compile time.

m0n0wall Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Marconi Inc. Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Micro Focus Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Microsoft Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

MikroTik Not Affected

Notified:  2020-02-13 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

The described issue is with EAP authentication,which RouterOS doesn't support for PPP

CERT Addendum

There are no additional comments at this time.

Mitel Networks Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Motorola Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

NEC Corporation Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

NetApp Unknown

Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

NetApp is investigating this issue and will continue to update this advisory as additional information becomes available. This advisory should be considered the single source of current,up-to-date,authorized and accurate information from NetApp. Advisory ID:NTAP-20200313-0004 Version:2.0 Last updated:03/16/2020 Status:Interim. CVEs:CVE-2020-8597.

NetBSD Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

NetBSD external ppp has been updated in the CVS repository. Users can set up pkg_admin to download the pkg-vulnerabilities file daily(URL in the Vendor URL section),and include a package audit in the daily security script. Details on this are located in the MESSAGE file for pkg_install.

Netgear Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Nexenta Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Nokia Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

OpenBSD Not Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

OpenIndiana Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Openwall GNU/*/Linux Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

OpenWRT Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

Security Advisory 2020-02-21-1 - ppp buffer overflow vulnerability(CVE-2020-8597)DESCRIPTION A remotely exploitable vulnerability was found in Point-to-Point Protocol Daemon(pppd),which has a significant potential impact due to the possibility of remote code execution prior to authentication. OpenWrt by default enables the_FORTIFY_SOURCE=1 compiler macro which introduces additional checks to detect buffer-overflows in the standard library functions,thus protecting the memcpy()abused in this overflow,preventing the actual buffer overflow and hence possible remote code execution by instead terminating the pppd daemon. Due to those defaults the impact of the issue was changed to a denial of service vulnerability,which is now also addressed by this fix. CVE-2020-8597 has been assigned to this issue,you can find the latest version of this advisory on our wiki. REQUIREMENTS In order to exploit this vulnerability,a malicious attacker would need to provide specially crafted EAP Request packet of type EAPT_MD5CHAP to ppp running in client mode and thus overflowing the rhostname string buffer by providing a very long hostname. MITIGATIONS To fix this issue,update the affected ppp package using the command below. opkg update; opkg upgrade pppThe fix is contained in the following and later versions: OpenWrt master:2020-02-20 reboot-12255-g215598fd0389 OpenWrt 19.07:2020-02-20 v19.07.1-17-g6b7eeb74dbf8 OpenWrt 18.06:2020-02-20 v18.06.7-6-gcc78f934a946 AFFECTED VERSIONS To our knowledge,OpenWrt versions 18.06.0 to 18.06.7 and versions 19.07.0 to 19.07.1 are affected. The fixed packages will be integrated in the upcoming OpenWrt 18.06.8 and OpenWrt 19.07.2 releases. Older versions of OpenWrt(e.g. OpenWrt 15.05 and LEDE 17.01)are end of life and not supported any more.

References

CERT Addendum

There are no additional comments at this time.

Oracle Corporation Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

PePLink Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

There are no additional comments at this time.

pfSense Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

QNX Software Systems Inc. Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Quagga Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Quantenna Communications Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Red Hat Inc. Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The"Stack Smashing Protection"may help mitigate code execution attacks for this flaw and limit its impact to crash only. This flaw only affects pppd servers and clients when EAP negotiation is used. pppd will refuse to do EAP negotiation unless it has an appropriate secret to use. The secret has to be added to/etc/ppp/chap-secrets. EAP can use CHAP or SRP as the underlying flavour of authentication,Red Hat packages are not compiled with SRP code.

References

CERT Addendum

Redhat has created a Bug ID 1800727 for this vulnerability. RedHat has put our updates for their supported platforms. The vendor URL section has links to these updates. It is assumed that EAP needs to be enabled for this vulnerability to be exposed. However this is not the case as shown by Ilja Van Spronkel that even if EAP is disabled,an unauthenticated and unsolicited EAP packet can be send to trigger this vulnerability.

Ruckus Wireless Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

s2n Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

SafeNet Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Sierra Wireless Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

We have published a security advisory for this issue. All new information will be updated on the advisory link below.

References

CERT Addendum

There are no additional comments at this time.

Slackware Linux Inc. Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

Vendor has released a security advisory Wed,4 Mar 2020 14:34:55 PST. Check to make sure you are subscribed to slackware-security@slackware.com and security@slackware.com is in your whitelist to receive slackware's security advisories.

SMC Networks Inc. Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Sony Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

SUSE Linux Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

We are indeed affected by this vulnerability in all our supported codestreams. However,this is mitigated by the FORTIFY_SOURCE overflow checking and also by the Stack Protector Overflow heuristic protection that our products ship. Updates are also on the way and we are going to release them within the next weeks. One can track the progress of the update along with all the affected software in our security page mentioned in the vendor URL section.

References

CERT Addendum

There are no additional comments at this time.

Synology Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

Synology confirms the following products are affected: - DiskStation Manager(DSM)- VisualStation VS960HD - Synology Router Manager(SRM)Synology has published a security advisory on 2020-03-06 10:40:29 UTC+8 at https://www.synology.com/security/advisory/Synology_SA_20_02

References

CERT Addendum

There are no additional comments at this time.

TDS Telecom Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Technicolor Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Tizen Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

TP-LINK Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

We have published a security advisory for this issue(see link below in Vendor URLs section). And we are still working on this,and all new information will be updated on this advisory.

References

CERT Addendum

There are no additional comments at this time.

TrueOS Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Turbolinux Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Ubiquiti Networks Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

Ubiquiti Networks has put out advisory using their community releases with an updated firmware to address this vulnerability. Please check the URL's below for obtaining the right firmware to patch your systems.

Ubuntu Affected

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

The ppp security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS The problem can be corrected by updating your system to the following package versions respectively: Ubuntu 19.10 ppp - 2.4.7-2+4.1ubuntu4.1 Ubuntu 18.04 LTS - ppp - 2.4.7-2+2ubuntu1.2 Ubuntu 16.04 LTS - ppp - 2.4.7-1+2ubuntu1.16.04.2 To update your system,use system package manager provided as part of Ubuntu..

Unisys Corporation Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Wind River Affected

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

References

CERT Addendum

Wind River support and defects page provides way to search for products affected by this vulnerability. As of Feb 4 2020,the security updates pages shows this CVE is being addressed by Windriver. Please use this defects page to search for your product or search for the CVE-2020-8597 as"Keyword"to obtain the relevant software and firmware updates.

XigmaNAS Unknown

Notified:  2020-02-11 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

Zyxel Unknown

Notified:  2020-02-19 Updated: 2020-06-19

CVE-2020-8597 Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CERT Addendum

There are no additional comments at this time.

View all 102 vendors View less vendors