Understanding and Mitigating Memory-Based Exploits with RunSafe

CVE-2020-8597 is a critical buffer overflow vulnerability found in the Point-to-Point Protocol Daemon (PPPD), affecting versions 2.4.2 to 2.4.8. This exploit is especially dangerous due to the widespread use of PPPD in many embedded Linux distributions, including Debian and Ubuntu. Despite the seemingly small range of affected versions, this vulnerability poses a significant threat because the software is a stable stack that doesn’t receive frequent updates. Consequently, it has been around for 17 years, embedding itself in numerous systems.

PPPD’s vulnerability is a classic buffer overflow, allowing attackers to execute arbitrary code and take control of the system. The severity of this exploit is underscored by its CVSS V3 score of 9.8, classifying it as critical. Notably, the vulnerability affects not just a few software versions but also over 19 vendors, including Siemens, Wind River Linux, Sierra Wireless, OpenWRT, and even Android.

What makes this exploit particularly dangerous is its simplicity. Some Linux-based builds, like Yocto and Wind River, lack basic protections such as compiling with position-independent code, making exploitation straightforward. Reliable working exploits for this vulnerability are readily available online, posing a significant risk to unprotected systems.

RunSafe addresses these critical vulnerabilities by removing the attacker’s ability to execute return-oriented programming (ROP) gadgets. This method ensures that even if a buffer overflow exists, the attacker cannot run arbitrary code in the process space. By deploying RunSafe’s solutions, vulnerabilities like CVE-2020-8597 are effectively mitigated.