CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
We are using an older version of pppd that does not use EAP and does not have this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
Visit ALAS post https://alas.aws.amazon.com/AL2/ALAS-2020-1400.html for details of this vulnerability
Amazon Linux has adopted RedHat advisory and published their own updates. Please see Vendor URL section for details.
CVE-2020-8597 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
Apple has a forked version of ppp that was modified years earlier. It shows not affected due to the source code changes.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
ArchLinux has updated its advisory on March 7 2020,with ASA-202003-3 advisory with resolution statement"Upgrade to 2.4.7-7. #pacman -Syu"ppp>=2.4.7-7"The problem has been fixed upstream but no release is available yet."
CVE-2020-8597 | Not Affected |
Arista products do not have any features using pppd,hence no Arista products are affected.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
FRITZ!Box and other AVM products are not affected. AVM does not use the ppp implementation from the pppd project.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
No other Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
2020-02-25 - Jaroslav Skarvadajskarvad@redhat.com- 2.4.5-34 - Fixed buffer overflow in the eap_request and eap_response functions Resolves:CVE-2020-8597 Centos 8: Update provided follow the Vendor URL for your architecture Centos 7: Update provided follow the Vendor URL for your version and architecture Centos 6: End of Life no updates available
CVE-2020-8597 | Affected |
See Checkpoint security advisory sk165875 link in Vendor URL section.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
Cisco is investigating this issue and has assigned a bug ID CSCvs95534.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
CoreOS Container Linux does not ship pppd.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
Package:ppp Version:2.4.6-3.1+deb8u1 CVE ID:CVE-2020-8597 Debian Bug:950618 Ilja Van Sprundel discovered a buffer overflow vulnerability in ppp,the Point-to-Point Protocol daemon. When receiving an EAP Request message in client mode,an attacker was able to overflow the rhostname array by providing a very long name. This issue is also mitigated by Debian's hardening build flags. For Debian 8"Jessie",this problem has been fixed in version 2.4.6-3.1+deb8u1. We recommend that you upgrade your ppp packages. Further information about Debian LTS security advisories,how to apply these updates to your system and frequently asked questions can be
Vendor bug report can be found in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950618
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
Thank you for your request for Technical Support. EAP isn't supported on 3900/2960/300B PPTP,so these should not be affected. The rest of the models are running in non-linux platform,the PPTP service isn't using pppd either.
Updated information from Draytek March 6,2020 Draytek DSL models are running in our in-house OS,they won't be affected by this vulnerability. Draytek also plans to add protection in the next firmware release to enhance the security for Vigor3900/2960,although EAP is not enabled or supported. Please check advisory URL mentioned below for updates.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Fedora Project has put out new software updates to address this issue on Fri,21 Feb 2020 16:44:33 UTC,please use the vendor's URL's to find the suitable update for your version of Fedora and your platform.
CVE-2020-8597 | Not Affected |
Fortinet FortiOS are not impacted by this vulnerability
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
FreeBSD does not distribute pppd.
A review of the pppd source tree suggests that FreeBSD do not include pppd in the base system(removed in r190751 - ten years ago). The first pppd version that contained the vulnerability was 2.4.2,and FreeBSD has never shipped with that version.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Please see Google's advisory that was recently published to acknowledge this issue.
CVE-2020-8597 | Not Affected |
HardenedBSD does not ship with this software in the base operating system.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
Juniper is not impacted by this vulnerability
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
LANCOM Systems products are not vulnerable to these vulnerabilities.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
lwIP is a bit different than pppd,we added a lot of preprocessor directives to enable or disable features at compile time in order to reduce binary size output and EAP is disabled by default: http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/include/netif/ppp/ppp_opts.h?id=d281d3e9592a3ca2ad0c3b7840f8036facc02f7b#n234 http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/netif/ppp/eap.c?id=d2 81d3e9592a3ca2ad0c3b7840f8036facc02f7b#n46 That is,no product using lwIP were ever shipped with the EAP code compiled at all.
EAP was never used by any lwIP user. The lwIP PPP support is mostly used with cellular modems only as a framing protocol limited to the serial link between the MCU and the modem were security is less relevant because it is not authenticated anyway. The lwIP so far has had support for PAP,CHAP,MS-CHAP(tied to MPPE keys exchange),but EAP has never been enabled from compile time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
The described issue is with EAP authentication,which RouterOS doesn't support for PPP
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
NetApp is investigating this issue and will continue to update this advisory as additional information becomes available. This advisory should be considered the single source of current,up-to-date,authorized and accurate information from NetApp. Advisory ID:NTAP-20200313-0004 Version:2.0 Last updated:03/16/2020 Status:Interim. CVEs:CVE-2020-8597.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
NetBSD external ppp has been updated in the CVS repository. Users can set up pkg_admin to download the pkg-vulnerabilities file daily(URL in the Vendor URL section),and include a package audit in the daily security script. Details on this are located in the MESSAGE file for pkg_install.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
Security Advisory 2020-02-21-1 - ppp buffer overflow vulnerability(CVE-2020-8597)DESCRIPTION A remotely exploitable vulnerability was found in Point-to-Point Protocol Daemon(pppd),which has a significant potential impact due to the possibility of remote code execution prior to authentication. OpenWrt by default enables the_FORTIFY_SOURCE=1 compiler macro which introduces additional checks to detect buffer-overflows in the standard library functions,thus protecting the memcpy()abused in this overflow,preventing the actual buffer overflow and hence possible remote code execution by instead terminating the pppd daemon. Due to those defaults the impact of the issue was changed to a denial of service vulnerability,which is now also addressed by this fix. CVE-2020-8597 has been assigned to this issue,you can find the latest version of this advisory on our wiki. REQUIREMENTS In order to exploit this vulnerability,a malicious attacker would need to provide specially crafted EAP Request packet of type EAPT_MD5CHAP to ppp running in client mode and thus overflowing the rhostname string buffer by providing a very long hostname. MITIGATIONS To fix this issue,update the affected ppp package using the command below. opkg update; opkg upgrade ppp
The fix is contained in the following and later versions: OpenWrt master:2020-02-20 reboot-12255-g215598fd0389 OpenWrt 19.07:2020-02-20 v19.07.1-17-g6b7eeb74dbf8 OpenWrt 18.06:2020-02-20 v18.06.7-6-gcc78f934a946 AFFECTED VERSIONS To our knowledge,OpenWrt versions 18.06.0 to 18.06.7 and versions 19.07.0 to 19.07.1 are affected. The fixed packages will be integrated in the upcoming OpenWrt 18.06.8 and OpenWrt 19.07.2 releases. Older versions of OpenWrt(e.g. OpenWrt 15.05 and LEDE 17.01)are end of life and not supported any more.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The"Stack Smashing Protection"may help mitigate code execution attacks for this flaw and limit its impact to crash only. This flaw only affects pppd servers and clients when EAP negotiation is used. pppd will refuse to do EAP negotiation unless it has an appropriate secret to use. The secret has to be added to/etc/ppp/chap-secrets. EAP can use CHAP or SRP as the underlying flavour of authentication,Red Hat packages are not compiled with SRP code.
Redhat has created a Bug ID 1800727 for this vulnerability. RedHat has put our updates for their supported platforms. The vendor URL section has links to these updates. It is assumed that EAP needs to be enabled for this vulnerability to be exposed. However this is not the case as shown by Ilja Van Spronkel that even if EAP is disabled,an unauthenticated and unsolicited EAP packet can be send to trigger this vulnerability.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
We have published a security advisory for this issue. All new information will be updated on the advisory link below.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Vendor has released a security advisory Wed,4 Mar 2020 14:34:55 PST. Check to make sure you are subscribed to slackware-security@slackware.com and security@slackware.com is in your whitelist to receive slackware's security advisories.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
We are indeed affected by this vulnerability in all our supported codestreams. However,this is mitigated by the FORTIFY_SOURCE overflow checking and also by the Stack Protector Overflow heuristic protection that our products ship. Updates are also on the way and we are going to release them within the next weeks. One can track the progress of the update along with all the affected software in our security page mentioned in the vendor URL section.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
Synology confirms the following products are affected: - DiskStation Manager(DSM)- VisualStation VS960HD - Synology Router Manager(SRM)Synology has published a security advisory on 2020-03-06 10:40:29 UTC+8 at https://www.synology.com/security/advisory/Synology_SA_20_02
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
We have published a security advisory for this issue(see link below in Vendor URLs section). And we are still working on this,and all new information will be updated on this advisory.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Ubiquiti Networks has put out advisory using their community releases with an updated firmware to address this vulnerability. Please check the URL's below for obtaining the right firmware to patch your systems.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
The ppp security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS The problem can be corrected by updating your system to the following package versions respectively: Ubuntu 19.10 ppp - 2.4.7-2+4.1ubuntu4.1 Ubuntu 18.04 LTS - ppp - 2.4.7-2+2ubuntu1.2 Ubuntu 16.04 LTS - ppp - 2.4.7-1+2ubuntu1.16.04.2 To update your system,use system package manager provided as part of Ubuntu..
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Wind River support and defects page provides way to search for products affected by this vulnerability. As of Feb 4 2020,the security updates pages shows this CVE is being addressed by Windriver. Please use this defects page to search for your product or search for the CVE-2020-8597 as"Keyword"to obtain the relevant software and firmware updates.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
CVE-2020-8597 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.