Bug 927841 (CVE-2015-3310) - VUL-1: CVE-2015-3310: ppp: buffer overflow in radius plug-in's rc_mksid()
Summary: VUL-1: CVE-2015-3310: ppp: buffer overflow in radius plug-in's rc_mksid()
Status: RESOLVED FIXED
Alias: CVE-2015-3310
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/115979/
Whiteboard: CVSSv2:NVD:CVE-2015-3310:4.3:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-20 12:33 UTC by Andreas Stieger
Modified: 2020-05-12 17:46 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-20 12:33:37 UTC 
via oss-sec, originally on Debian:
https://bugs.debian.org/782450

> On systems with more than 65535 processes running, pppd aborts when
> sending a "start" accounting message to the RADIUS server because of a
> buffer overflow in rc_mksid.
> 
> Moreover, when ppp is compiled with GCC's Object Size Checking
> Built-in Functions, the call to sprintf gets replaced by
> __sprintf_chk():
> https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html
> 
> If that is the case, pppd consistently crashes with a SIGABRT upon
> successful authentication if its own pid is greater than 65535.
> 
> https://bugs.launchpad.net/ubuntu/+source/ppp/+bug/291743
> 
> As you can see from the reports, pppd's pid is always greater than
> 65535. Users complain that the bug shows up "after a few hours".
> 
> A possible attack scenario against a VPN server running xl2tpd
> follows.
> 
> xl2tpd starts a new pppd process for each connection attempt. A remote
> attacker could repeatedly connect to the remote server, even with
> invalid credentials, in order to increase the pid of pppd at every
> attempt. After pppd's pid reaches 65535, each and every subsequent
> connection attempt would fail, resulting in a denial of service.


Affected code is in SLE 10 through 12.

References:
https://bugs.debian.org/782450
https://bugzilla.redhat.com/show_bug.cgi?id=1211293
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3310
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782450
http://www.debian.org/security/2015/dsa-3228
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3310.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3310
Comment 1 Swamp Workflow Management 2015-04-20 22:01:48 UTC 
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2015-11-13 17:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (927841) was mentioned in
https://build.opensuse.org/request/show/344259 Factory / ppp
Comment 3 Aeneas Jaißle 2015-11-14 22:41:30 UTC 
https://build.opensuse.org/request/show/344423

All updates include a patch for CVE-2015-3310.
Updates for openSUSE 13.1 include a version jump from 2.4.5 to 2.4.7
Comment 4 Marcus Meissner 2015-11-15 22:15:51 UTC 
The Leap part should come via SLES12 Update.

Re assign to SLES maintainer.

The version update for 13.1 should optimally have an incremental changes.
Comment 6 Johannes Segitz 2015-11-20 14:32:05 UTC 
needinfo flag was probably forgotten. If there's still something unclear please reset
Comment 7 Swamp Workflow Management 2015-11-27 16:12:24 UTC 
openSUSE-SU-2015:2121-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 927841
CVE References: CVE-2015-3310
Sources used:
openSUSE Leap 42.1 (src):    ppp-2.4.7-5.1
openSUSE 13.2 (src):    ppp-2.4.7-2.3.1
openSUSE 13.1 (src):    ppp-2.4.7-20.7.1
Comment 8 Andreas Schwab 2015-11-29 08:53:23 UTC 
Problem: ppp-userpass-2011.8.29-17.1.17.ppc requires ppp = 2.4.5, but this requirement cannot be provided
  uninstallable providers: ppp-2.4.5-20.1.3.ppc[openSUSE-13.1-1.10]
 Solution 1: Following actions will be done:
  deinstallation of ppp-userpass-2011.8.29-17.1.17.ppc
  deinstallation of capi4linux-2011.8.29-17.1.17.ppc
  downgrade of NetworkManager-0.9.8.8-10.1.ppc to NetworkManager-0.9.8.8-4.1.ppc
 Solution 2: do not install ppp-2.4.7-20.7.1.ppc
 Solution 3: break ppp-userpass-2011.8.29-17.1.17.ppc by ignoring some of its dependencies
Comment 9 Swamp Workflow Management 2017-02-15 20:24:44 UTC 
SUSE-SU-2017:0473-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 927841
CVE References: CVE-2015-3310
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ppp-2.4.5.git-2.31.7
SUSE Linux Enterprise Server 11-SP4 (src):    ppp-2.4.5.git-2.31.7
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ppp-2.4.5.git-2.31.7
Comment 10 Swamp Workflow Management 2017-02-15 20:25:12 UTC 
SUSE-SU-2017:0474-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 927841
CVE References: CVE-2015-3310
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ppp-2.4.7-3.4
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ppp-2.4.7-3.4
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ppp-2.4.7-3.4
SUSE Linux Enterprise Server 12-SP2 (src):    ppp-2.4.7-3.4
SUSE Linux Enterprise Server 12-SP1 (src):    ppp-2.4.7-3.4
SUSE Linux Enterprise Desktop 12-SP2 (src):    ppp-2.4.7-3.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    ppp-2.4.7-3.4
Comment 11 Marcus Meissner 2017-06-15 21:12:20 UTC 
released