CVE-2020-15704 - Vulnerability Details - OpenCVE

Description

The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.

Published: 2020-08-31

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Canonical

ppp

affected

Version	Status	Constraints
`2.4.5`	affected	< 2.4.5-5ubuntu1.4
`2.4.7`	affected	< 2.4.7-1+2ubuntu1.16.04.3

Configuration 1 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

Configuration 5 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-7690	The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.
Ubuntu USN	USN-4451-1	ppp vulnerability
Ubuntu USN	USN-4451-2	ppp vulnerability

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://forum.xbian.org/thread-1748-post-18231.html#pid18231
http://launchpadlibrarian.net/491880980/ppp_2.4.7-2+4.1ubuntu5_2.4.7-2+4.1ubuntu6.diff.gz
https://nvd.nist.gov/vuln/detail/CVE-2020-15704
https://ubuntu.com/security/notices/USN-4451-1
https://ubuntu.com/security/notices/USN-4451-2
https://www.cve.org/CVERecord?id=CVE-2020-15704

History

No history.

Subscriptions

Canonical Ppp Ubuntu Linux

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2020-08-31T23:15:14.261Z

Updated: 2024-09-17T00:35:29.021Z

Reserved: 2020-07-14T00:00:00.000Z

Link: CVE-2020-15704

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-01T00:15:09.907

Modified: 2024-11-21T05:06:03.430

Link: CVE-2020-15704

Redhat

Severity :

Publid Date: 2020-08-05T00:00:00Z

Links: CVE-2020-15704 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "ppp", "vendor": "Canonical", "versions": [{"changes": [{"at": "2.4.5-5.1ubuntu2.3+esm2", "status": "unaffected"}], "lessThan": "2.4.5-5ubuntu1.4", "status": "affected", "version": "2.4.5", "versionType": "custom"}, {"changes": [{"at": "2.4.7-2+2ubuntu1.3", "status": "unaffected"}, {"at": "2.4.7-2+4.1ubuntu5.1", "status": "unaffected"}, {"at": "2.4.7-2+4.1ubuntu6", "status": "unaffected"}], "lessThan": "2.4.7-1+2ubuntu1.16.04.3", "status": "affected", "version": "2.4.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thomas Chauchefoin working with Trend Micro's Zero Day Initiative"}], "datePublic": "2020-08-04T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-31T23:15:14.000Z", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://ubuntu.com/security/notices/USN-4451-2"}], "source": {"advisory": "https://usn.ubuntu.com/USN-4451-1/", "discovery": "EXTERNAL"}, "title": "pppd arbitrary file read information disclosure vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-08-04T17:00:00.000Z", "ID": "CVE-2020-15704", "STATE": "PUBLIC", "TITLE": "pppd arbitrary file read information disclosure vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ppp", "version": {"version_data": [{"platform": "", "version_affected": "<", "version_name": "2.4.5", "version_value": "2.4.5-5ubuntu1.4"}, {"platform": "", "version_affected": "<", "version_name": "2.4.5", "version_value": "2.4.5-5.1ubuntu2.3+esm2"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-1+2ubuntu1.16.04.3"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-2+2ubuntu1.3"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-2+4.1ubuntu5.1"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-2+4.1ubuntu6"}]}}]}, "vendor_name": "Canonical"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Thomas Chauchefoin working with Trend Micro's Zero Day Initiative"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://ubuntu.com/security/notices/USN-4451-1", "refsource": "UBUNTU", "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"name": "https://ubuntu.com/security/notices/USN-4451-2", "refsource": "UBUNTU", "url": "https://ubuntu.com/security/notices/USN-4451-2"}]}, "solution": [], "source": {"advisory": "https://usn.ubuntu.com/USN-4451-1/", "defect": [], "discovery": "EXTERNAL"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:22:30.747Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://ubuntu.com/security/notices/USN-4451-2"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-15704", "datePublished": "2020-08-31T23:15:14.261Z", "dateReserved": "2020-07-14T00:00:00.000Z", "dateUpdated": "2024-09-17T00:35:29.021Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "E60D6693-6626-4A52-9850-0C4B1B6832B3", "versionEndExcluding": "2.4.7-1\\+ubuntu1.16.04.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B437B873-DB91-41A3-908F-2F96CD4442B7", "versionEndExcluding": "2.4.7-2\\+2ubuntu1.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B11FD69C-C04C-4021-9B6F-4332452438FF", "versionEndExcluding": "2.4.7-2\\+4.1ubuntu5.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEFE769D-23DE-424A-805E-FB365889AA83", "versionEndExcluding": "2.4.5-5ubuntu1.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CB91908-008C-478D-B667-5C1BC8B75C93", "versionEndExcluding": "2.4.5-5.1ubuntu2.3\\+esm2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504."}, {"lang": "es", "value": "El proceso hijo modprobe en el archivo de parche ./debian/patches/load_ppp_generic_if_needed manej\u00f3 incorrectamente la carga del m\u00f3dulo. Un atacante local que no sea root podr\u00eda explotar la variable de entorno MODPROBE_OPTIONS para leer archivos root arbitrarios. Corregido en las versiones 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Fue ZDI-CAN-11504"}], "id": "CVE-2020-15704", "lastModified": "2024-11-21T05:06:03.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security@ubuntu.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-01T00:15:09.907", "references": [{"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4451-2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4451-2"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@ubuntu.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ppp: Privilege escalation through loading of arbitrary kernel modules and other programs", "id": "1866491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866491"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-552", "details": ["The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.", "A flaw in the Linux ppp daemon functionality was found in the way possibility of unexpected loading ppp_generic module during ppp daemon startup."], "name": "CVE-2020-15704", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2020-08-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15704\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15704\nhttp://forum.xbian.org/thread-1748-post-18231.html#pid18231\nhttp://launchpadlibrarian.net/491880980/ppp_2.4.7-2+4.1ubuntu5_2.4.7-2+4.1ubuntu6.diff.gz"], "statement": "Red Hat Product Security does not consider this to be a vulnerability in a Red Hat product as this issue resides in Ubuntu specific patch.\nMoreover, the described problem that ppp daemon can load module ppp_generic on startup, and this considered to be potentially dangerous, because user can install fake ppp_generic module instead of real. However, only user with high privileges can install new ppp_generic module to correct path for modprobe, so if user have high privileges, then he can load any module he wants anyway."}