CVE-2020-15173 : In ACCEL-PPP (an implementation of PPTP/PPPoE/L2TP/SSTP), there is a buffer overflow when receiving an l2tp control pack

In ACCEL-PPP (an implementation of PPTP/PPPoE/L2TP/SSTP), there is a buffer overflow when receiving an l2tp control packet ith an AVP which type is a string and no hidden flags, length set to less than 6. If your application is used in open networks or there are untrusted nodes in the network it is highly recommended to apply the patch. The problem was patched with commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b As a workaround changes of commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b can be applied to older versions.

Published 2020-09-09 23:15:11

Updated 2021-11-18 17:48:22

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Overflow

Exploit prediction scoring system (EPSS) score for CVE-2020-15173

Probability of exploitation activity in the next 30 days: 0.36%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 69 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-15173

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H	3.9	4.2	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: High

CWE ids for CVE-2020-15173

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: security-advisories@github.com (Secondary)
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-15173

https://github.com/accel-ppp/accel-ppp/security/advisories/GHSA-rr68-fchr-69vf

A possible heap buffer overflow when receiving an l2tp control packet with an AVP which type is a string and no hidden flags, length set to less than 6 · Advisory · accel-ppp/accel-ppp · GitHub
Third Party Advisory
https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b

l2tp: fix RCE through buffer overflow & fix LE/BE compatibility · accel-ppp/accel-ppp@2324bcd · GitHub
Patch;Third Party Advisory

Products affected by CVE-2020-15173

Accel-ppp » Accel-ppp
Versions up to, including, (<=) 1.12.0-92-g38b6104
cpe:2.3:a:accel-ppp:accel-ppp:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2020-15173

Exploit prediction scoring system (EPSS) score for CVE-2020-15173

CVSS scores for CVE-2020-15173

CWE ids for CVE-2020-15173

References for CVE-2020-15173

Products affected by CVE-2020-15173