A10 Networks

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Actiontec

Notified:  February 19, 2020 Updated: February 25, 2020

Status

  Not Affected

Vendor Statement

We are using an older version of pppd that does not use EAP and does not have this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ADTRAN

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent Enterprise

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alpine Linux

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Amazon

Notified:  February 11, 2020 Updated: March 10, 2020

Status

  Affected

Vendor Statement

Visit ALAS post https://alas.aws.amazon.com/AL2/ALAS-2020-1400.html for details of this vulnerability

Vendor Information

Amazon Linux has adopted RedHat advisory and published their own updates. Please see Vendor URL section for details.

Vendor References

Apple

Notified:  February 11, 2020 Updated: February 19, 2020

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Apple has a forked version of ppp that was modified years earlier. It shows not affected due to the source code changes.

Arch Linux

Notified:  February 11, 2020 Updated: March 09, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

ArchLinux has updated its advisory on March 7 2020,with ASA-202003-3 advisory with resolution statement"Upgrade to 2.4.7-7. #pacman -Syu"ppp>=2.4.7-7"The problem has been fixed upstream but no release is available yet."

Vendor References

Arista Networks, Inc.

Notified:  February 11, 2020 Updated: February 14, 2020

Status

  Not Affected

Vendor Statement

Arista products do not have any features using pppd,hence no Arista products are affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ARRIS

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Aspera Inc.

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AsusTek Computer Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AVM GmbH

Notified:  February 19, 2020 Updated: March 05, 2020

Status

  Not Affected

Vendor Statement

FRITZ!Box and other AVM products are not affected. AVM does not use the ppp implementation from the pppd project.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Brocade Communication Systems

Notified:  February 19, 2020 Updated: February 25, 2020

Status

  Not Affected

Vendor Statement

No other Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Buffalo Inc

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS

Updated:  March 20, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

2020-02-25 - Jaroslav Skarvada- 2.4.5-34 - Fixed buffer overflow in the eap_request and eap_response functions Resolves:CVE-2020-8597 Centos 8: Update provided follow the Vendor URL for your architecture Centos 7: Update provided follow the Vendor URL for your version and architecture Centos 6: End of Life no updates available

Vendor References

Check Point

Notified:  February 19, 2020 Updated: March 23, 2020

Status

  Affected

Vendor Statement

See Checkpoint security advisory sk165875 link in Vendor URL section.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Cisco

Updated:  March 18, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco is investigating this issue and has assigned a bug ID CSCvs95534.

Vendor References

Comcast

Notified:  February 19, 2020 Updated: February 21, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS

Notified:  February 11, 2020 Updated: February 12, 2020

Status

  Not Affected

Vendor Statement

CoreOS Container Linux does not ship pppd.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cradlepoint

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

dd-wrt

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Updated:  February 19, 2020

Status

  Affected

Vendor Statement

Package:ppp Version:2.4.6-3.1+deb8u1 CVE ID:CVE-2020-8597 Debian Bug:950618 Ilja Van Sprundel discovered a buffer overflow vulnerability in ppp,the Point-to-Point Protocol daemon. When receiving an EAP Request message in client mode,an attacker was able to overflow the rhostname array by providing a very long name. This issue is also mitigated by Debian's hardening build flags. For Debian 8"Jessie",this problem has been fixed in version 2.4.6-3.1+deb8u1. We recommend that you upgrade your ppp packages. Further information about Debian LTS security advisories,how to apply these updates to your system and frequently asked questions can be

Vendor Information

Vendor bug report can be found in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950618

Vendor References

Dell EMC

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DesktopBSD

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Deutsche Telekom

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DrayTek Corporation

Notified:  February 13, 2020 Updated: March 06, 2020

Status

  Not Affected

Vendor Statement

Thank you for your request for Technical Support. EAP isn't supported on 3900/2960/300B PPTP,so these should not be affected. The rest of the models are running in non-linux platform,the PPTP service isn't using pppd either.

Vendor Information

Updated information from Draytek March 6,2020 Draytek DSL models are running in our in-house OS,they won't be affected by this vulnerability. Draytek also plans to add protection in the next firmware release to enhance the security for Vigor3900/2960,although EAP is not enabled or supported. Please check advisory URL mentioned below for updates.

Vendor References

eero

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Extreme Networks

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  February 11, 2020 Updated: March 09, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Fedora Project has put out new software updates to address this issue on Fri,21 Feb 2020 16:44:33 UTC,please use the vendor's URL's to find the suitable update for your version of Fedora and your platform.

Vendor References

Fortinet

Notified:  February 13, 2020 Updated: February 25, 2020

Status

  Not Affected

Vendor Statement

Fortinet FortiOS are not impacted by this vulnerability

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  February 11, 2020 Updated: February 21, 2020

Status

  Not Affected

Vendor Statement

FreeBSD does not distribute pppd.

Vendor Information

A review of the pppd source tree suggests that FreeBSD do not include pppd in the base system(removed in r190751 - ten years ago). The first pppd version that contained the vulnerability was 2.4.2,and FreeBSD has never shipped with that version.

F-Secure Corporation

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Geexbox

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HardenedBSD

Notified:  February 11, 2020 Updated: February 12, 2020

Status

  Not Affected

Vendor Statement

HardenedBSD does not ship with this software in the base operating system.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HP Inc.

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM, INC.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Illumos

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Joyent

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks

Notified:  February 11, 2020 Updated: February 25, 2020

Status

  Not Affected

Vendor Statement

Juniper is not impacted by this vulnerability

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

LANCOM Systems GmbH

Notified:  February 19, 2020 Updated: February 26, 2020

Status

  Not Affected

Vendor Statement

LANCOM Systems products are not vulnerable to these vulnerabilities.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Linksys

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

lwIP

Notified:  February 05, 2020 Updated: February 16, 2020

Status

  Not Affected

Vendor Statement

lwIP is a bit different than pppd,we added a lot of preprocessor directives to enable or disable features at compile time in order to reduce binary size output and EAP is disabled by default: http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/include/netif/ppp/ppp_opts.h?id=d281d3e9592a3ca2ad0c3b7840f8036facc02f7b#n234 http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/netif/ppp/eap.c?id=d2 81d3e9592a3ca2ad0c3b7840f8036facc02f7b#n46 That is,no product using lwIP were ever shipped with the EAP code compiled at all.

Vendor Information

EAP was never used by any lwIP user. The lwIP PPP support is mostly used with cellular modems only as a framing protocol limited to the serial link between the MCU and the modem were security is less relevant because it is not authenticated anyway. The lwIP so far has had support for PAP,CHAP,MS-CHAP(tied to MPPE keys exchange),but EAP has never been enabled from compile time.

Vendor References

m0n0wall

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Marconi, Inc.

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Micro Focus

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft

Updated:  March 10, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Microsoft

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MikroTik

Notified:  February 13, 2020 Updated: February 14, 2020

Status

  Not Affected

Vendor Statement

The described issue is with EAP authentication,which RouterOS doesn't support for PPP

Mitel Networks, Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Motorola, Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NAS4Free

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetApp

Updated:  March 18, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

NetApp is investigating this issue and will continue to update this advisory as additional information becomes available. This advisory should be considered the single source of current,up-to-date,authorized and accurate information from NetApp. Advisory ID:NTAP-20200313-0004 Version:2.0 Last updated:03/16/2020 Status:Interim. CVEs:CVE-2020-8597.

Vendor References

NetBSD

Notified:  February 11, 2020 Updated: February 21, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

NetBSD external ppp has been updated in the CVS repository. Users can set up pkg_admin to download the pkg-vulnerabilities file daily(URL in the Vendor URL section),and include a package audit in the daily security script. Details on this are located in the MESSAGE file for pkg_install.

Vendor References

Netgear, Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nexenta

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  February 11, 2020 Updated: February 21, 2020

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenIndiana

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenWRT

Notified:  February 19, 2020 Updated: February 25, 2020

Status

  Affected

Vendor Statement

Security Advisory 2020-02-21-1 - ppp buffer overflow vulnerability(CVE-2020-8597)DESCRIPTION A remotely exploitable vulnerability was found in Point-to-Point Protocol Daemon(pppd),which has a significant potential impact due to the possibility of remote code execution prior to authentication. OpenWrt by default enables the_FORTIFY_SOURCE=1 compiler macro which introduces additional checks to detect buffer-overflows in the standard library functions,thus protecting the memcpy()abused in this overflow,preventing the actual buffer overflow and hence possible remote code execution by instead terminating the pppd daemon. Due to those defaults the impact of the issue was changed to a denial of service vulnerability,which is now also addressed by this fix. CVE-2020-8597 has been assigned to this issue,you can find the latest version of this advisory on our wiki. REQUIREMENTS In order to exploit this vulnerability,a malicious attacker would need to provide specially crafted EAP Request packet of type EAPT_MD5CHAP to ppp running in client mode and thus overflowing the rhostname string buffer by providing a very long hostname. MITIGATIONS To fix this issue,update the affected ppp package using the command below. `opkg update; opkg upgrade ppp`The fix is contained in the following and later versions: OpenWrt master:2020-02-20 reboot-12255-g215598fd0389 OpenWrt 19.07:2020-02-20 v19.07.1-17-g6b7eeb74dbf8 OpenWrt 18.06:2020-02-20 v18.06.7-6-gcc78f934a946 AFFECTED VERSIONS To our knowledge,OpenWrt versions 18.06.0 to 18.06.7 and versions 19.07.0 to 19.07.1 are affected. The fixed packages will be integrated in the upcoming OpenWrt 18.06.8 and OpenWrt 19.07.2 releases. Older versions of OpenWrt(e.g. OpenWrt 15.05 and LEDE 17.01)are end of life and not supported any more.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Oracle Corporation

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Peplink

Notified:  February 19, 2020 Updated: March 12, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

pfSense

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc.

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quantenna Communications

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  February 11, 2020 Updated: March 03, 2020

Status

  Affected

Vendor Statement

The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The"Stack Smashing Protection"may help mitigate code execution attacks for this flaw and limit its impact to crash only. This flaw only affects pppd servers and clients when EAP negotiation is used. pppd will refuse to do EAP negotiation unless it has an appropriate secret to use. The secret has to be added to/etc/ppp/chap-secrets. EAP can use CHAP or SRP as the underlying flavour of authentication,Red Hat packages are not compiled with SRP code.

Vendor Information

Redhat has created a Bug ID 1800727 for this vulnerability. RedHat has put our updates for their supported platforms. The vendor URL section has links to these updates. It is assumed that EAP needs to be enabled for this vulnerability to be exposed. However this is not the case as shown by Ilja Van Spronkel that even if EAP is disabled,an unauthenticated and unsolicited EAP packet can be send to trigger this vulnerability.

Vendor References

Ruckus Wireless

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sierra Wireless

Notified:  February 19, 2020 Updated: March 06, 2020

Status

  Affected

Vendor Statement

We have published a security advisory for this issue. All new information will be updated on the advisory link below.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Slackware Linux Inc.

Notified:  February 11, 2020 Updated: March 09, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Vendor has released a security advisory Wed,4 Mar 2020 14:34:55 PST. Check to make sure you are subscribed to slackware-security@slackware.com and security@slackware.com is in your whitelist to receive slackware's security advisories.

Vendor References

SMC Networks, Inc.

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  February 11, 2020 Updated: February 21, 2020

Status

  Affected

Vendor Statement

We are indeed affected by this vulnerability in all our supported codestreams. However,this is mitigated by the FORTIFY_SOURCE overflow checking and also by the Stack Protector Overflow heuristic protection that our products ship. Updates are also on the way and we are going to release them within the next weeks. One can track the progress of the update along with all the affected software in our security page mentioned in the vendor URL section.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Synology

Notified:  February 11, 2020 Updated: March 06, 2020

Status

  Affected

Vendor Statement

Synology confirms the following products are affected: - DiskStation Manager(DSM)- VisualStation VS960HD - Synology Router Manager(SRM)Synology has published a security advisory on 2020-03-06 10:40:29 UTC+8 at https://www.synology.com/security/advisory/Synology_SA_20_02

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

TDS Telecom

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Technicolor

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Tizen

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TP-LINK

Notified:  February 19, 2020 Updated: March 03, 2020

Status

  Affected

Vendor Statement

We have published a security advisory for this issue(see link below in Vendor URLs section). And we are still working on this,and all new information will be updated on this advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

TrueOS

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubiquiti Networks

Notified:  February 19, 2020 Updated: March 09, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Ubiquiti Networks has put out advisory using their community releases with an updated firmware to address this vulnerability. Please check the URL's below for obtaining the right firmware to patch your systems.

Vendor References

Ubuntu

Notified:  February 11, 2020 Updated: February 20, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The ppp security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS The problem can be corrected by updating your system to the following package versions respectively: Ubuntu 19.10 ppp - 2.4.7-2+4.1ubuntu4.1 Ubuntu 18.04 LTS - ppp - 2.4.7-2+2ubuntu1.2 Ubuntu 16.04 LTS - ppp - 2.4.7-1+2ubuntu1.16.04.2 To update your system,use system package manager provided as part of Ubuntu..

Vendor References

Unisys

Notified:  February 11, 2020 Updated: February 11, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River

Notified:  February 19, 2020 Updated: March 09, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Wind River support and defects page provides way to search for products affected by this vulnerability. As of Feb 4 2020,the security updates pages shows this CVE is being addressed by Windriver. Please use this defects page to search for your product or search for the CVE-2020-8597 as"Keyword"to obtain the relevant software and firmware updates.

Vendor References

Zyxel

Notified:  February 19, 2020 Updated: February 19, 2020

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 102 vendors View less vendors