Many Linux-based operating systems have been found to be affected by a security flaw which has existed for 17 years.
The US-Cert has highlighted that PPPD (Point to Point Protocol Daemon) versions 2.4.2 to 2.4.8 are “vulnerable to buffer overflow due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines”.
“PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links including Virtual Private Networks (VPN) such as Point to Point Tunneling Protocol (PPTP),” said US-Cert.
The vulnerability is caused by an error in validating the size of inputted data before it is copied into memory.
It explained that an unauthenticated remote attacker could exploit the flaw to cause a stack buffer overflow, which can allow code to be executed on the targeted device.
“As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code,” said US-Cert.
The flaw was discovered by Ija Van Sprundel, an IOActive security researcher.
Sprundel said the following popular Linux-based operating systems are affected by the flaw:
- SUSE Linux
- Red Hat Enterprise Linux
Additionally, FossBytes reports that the following devices are vulnerable to attacks:
- TP-LINK products
- Synology products
- Cisco CallManager
- OpenWRT Embedded OS
FossBytes recommends users update their systems to avoid being vulnerable to the exploitation of this flaw.