There is a serious PPP vunerability that was made public recently, tracked as PPP vunerability CVE-2020-8597 - (https://thehackernews.com/2020/03/ppp-d ... da973fdb03)
Can anyone confirm if this effects Raspbian ?
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
Does anyone still use PPP? I have not used PPP since last century on my 14.4 modems and later DSL connections.
Memory in C++ is a leaky abstraction .
-
DougieLawson
- Posts: 39304
- Joined: Sun Jun 16, 2013 11:19 pm
- Location: A small cave in deepest darkest Basingstoke, UK
- Contact: Website Twitter
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
I did it once since 2012 (with tx/rx cross connected between two RPis). That was just for nostalgia, because I could and to remember why I hate wvdial & pppd. I couldn't get the authentic modem chatter so it was fairly boring and mostly useless.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Criticising any questions is banned on this forum.
Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.
Criticising any questions is banned on this forum.
Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
All DSL connections (that I know of) use a form of PPP - PPPoE. But you're unlikely to directly running PPP on a Raspberry Pi unless you're doing direct DSL connections. Retro computer nerds like me use PPP to network older computers over serial, too. But that's our problem.
DLA-2097-1 ppp -- LTS security update notes that the issue was resolved in 2.4.6-3.1+deb8u1. On a recently updated Raspberry Pi:
So it should be fixed. If your machine is showing Installed: (none) like mine, then it won't affect you.
DLA-2097-1 ppp -- LTS security update notes that the issue was resolved in 2.4.6-3.1+deb8u1. On a recently updated Raspberry Pi:
Code: Select all
$ apt-cache policy ppp
ppp:
Installed: (none)
Candidate: 2.4.7-1+4+deb9u1
Version table:
2.4.7-1+4+deb9u1 500
500 http://raspbian.raspberrypi.org/raspbian stretch/main armhf Packages
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.
Pronouns: he/him
Pronouns: he/him
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
Actually scruss reminds me that getting on 10 years ago the company I worked for rolled out hundreds of custom designed DSL routers across a few cities in Scandinavia. We put together the Linux OS for them. I recall that PPP was used on all the DSL links.
Those units are still out there doing their job, likely they will never get updated. Nothing important though, only networking traffic lights.
Those units are still out there doing their job, likely they will never get updated. Nothing important though, only networking traffic lights.
Memory in C++ is a leaky abstraction .
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
Only networking traffic lights...
Haven't you watched The Italian Job?
Haven't you watched The Italian Job?
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
Yes of course. Thought about it all the time on that project. I was being a bit tongue in cheek.
Thing is, those DSL links were all copper owned by the cities and buried underground, a network isolated from any other. Controller cabinets have locks. Our networking gear was only connected to traffic controllers via slow serial links and only a few simple status messages could be received or commands sent. The controllers themselves were only dumb micro controllers and there is separate and independent safety processor that checks the lights don't get into a dangerous state.
All in all the powers that be deemed that was safe enough.
That was then. Now of course all that stuff has been connected to the internet, for convenient the convenience of monitoring and management you know. And new traffic controllers run Linux. All manner of Italian Job fun could be had. A friend of mine has a key that will open most of the traffic controller cabinets in Finland, all we need is a laptop and an ethernet cable!
In fact, just yesterday I opened up a "Mesh 4G" wireless mesh router sold by nowwireless.com to cities in England for networking traffic lights and such. Like this: https://www.nowwireless.com/mesh-4g. Well guess what? I connect it to my PC with ethernet and find it has no admin password. The other thing that amazed be about it was that inside is 50 dollar router board from Mikrotik. Nowwireless sells that on to UK towns in a plastic box for getting on a thousand pounds!
No fun just now though. There no traffic anywhere to be seen.
Memory in C++ is a leaky abstraction .
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
It's useful for creating a low-bandwith TCP/IP network link between two Pi using a UART connection, but there aren't an awful lot of uses for doing it. It can be handy for using a Zero, A or A+ as a slave for a master Pi or PC as an alternative to USB gadget mode.
Re: Is Raspbian vulnerable to the recent PPP security vulnerability? ??
(getting vastly off topic here)
And if it's anything like the Danish utility cabinet keys (like this one) I used to have, the top loop will be designed as a bottle opener. This caused no end of trouble in North America, as even the remotest hint of drinking beer on site was completely taboo. The Danes working on Canadian sites grumbled a bit, didn't bring their coolers on site, but nothing could get them to stop climbing ladders in wooden-soled clogs.
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.
Pronouns: he/him
Pronouns: he/him