Bug 1866491 (CVE-2020-15704) - CVE-2020-15704 ppp: Privilege escalation through loading of arbitrary kernel modules and other programs
Summary: CVE-2020-15704 ppp: Privilege escalation through loading of arbitrary kernel ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-15704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1866492
Blocks: 1866493
TreeView+ depends on / blocked
 
Reported: 2020-08-05 17:42 UTC by Pedro Sampaio
Modified: 2021-09-28 16:04 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-08-24 21:15:18 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2020-08-05 17:42:37 UTC 
It was found that ppp incorrectly handled module loading. A local attacker could use this issue to load arbitrary kernel modules and possibly execute arbitrary code.

References:

https://ubuntu.com/security/notices/USN-4451-1
Comment 1 Pedro Sampaio 2020-08-05 17:42:55 UTC 
Created ppp tracking bugs for this issue:

Affects: fedora-all [bug 1866492]
Comment 2 Jaroslav Škarvada 2020-08-05 20:59:52 UTC 
Could you please provide more information? From the Ubuntu link you provided it seems the problem was in Ubuntu downstream patch we never shipped in Fedora. 

Also I don't understand how this could be security problem. If the malicious user who is running ppp has already permissions to use modprobe and install kernel modules to filesystem, she or he could modprobe/run the malicious code by themselves and they don't need to exploit ppp.
Comment 3 Pedro Sampaio 2020-08-24 18:06:38 UTC 
(In reply to Jaroslav Škarvada from comment #2)
> Could you please provide more information? From the Ubuntu link you provided
> it seems the problem was in Ubuntu downstream patch we never shipped in
> Fedora. 
> 
> Also I don't understand how this could be security problem. If the malicious
> user who is running ppp has already permissions to use modprobe and install
> kernel modules to filesystem, she or he could modprobe/run the malicious
> code by themselves and they don't need to exploit ppp.

Hi Alexander,

Can you help with this inquiry? I couldn't find much more info.
Comment 4 Product Security DevOps Team 2020-08-24 21:15:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15704
Comment 6 Alex 2020-08-25 16:13:15 UTC 
External References:

http://launchpadlibrarian.net/491880980/ppp_2.4.7-2+4.1ubuntu5_2.4.7-2+4.1ubuntu6.diff.gz
http://forum.xbian.org/thread-1748-post-18231.html#pid18231
Comment 8 Petr Matousek 2020-08-26 12:25:36 UTC 
Statement:

Red Hat Product Security does not consider this to be a vulnerability in a Red Hat product as this issue resides in Ubuntu specific patch.

Moreover, the described problem that ppp daemon can load module ppp_generic on startup, and this considered to be potentially dangerous, because user can install fake ppp_generic module instead of real. However, only user with high privileges can install new ppp_generic module to correct path for modprobe, so if user have high privileges, then he can load any module he wants anyway.
Note You need to log in before you can comment on or make changes to this bug.