A remotely exploitable vulnerability was found in Point-to-Point Protocol Daemon (pppd), which has a significant potential impact due to the possibility of remote code execution prior to authentication.
So if you're using
ppp it is highly recommended to update your devices as soon as possible. You can update your devices with
opkg update; opkg upgrade ppp command.
For details see the complete security advisory 2020-02-21-1.
Thanks! Especially for the explicit command line.
To be clear, I assume this affects people who use PPPoE to get their internet service from an ISP? Not everyone who does that will realize that they use "pppd" so it would be good to be explicit about that!
fwiw, for PPPoE connections between customer trying to establish their internet connection to their ISP, is this vulnerability actually negligible to non-existent? I could be wrong of course.
If using ppp for any other application, I suppose it would be a problem. eg. perhaps PPTP for vpn connections?
I don't know. I think you are assuming the ISP is not hacked and therefore non malicious. this isn't necessarily true. There are a lot of automated hack tools out there. your ISP should be considered untrusted.
PPPoE does not use EAP it uses PAP/CHAP. PPP EAP ASFAIK is used for PPTP or IPSEC/L2TP
afaik eap usage is not a requirement for the bug. every installation is affected.
It would be great to update the original post to say that the versions after a specific date (20 Feb 2020?) or version (19.07.2, etc?) contain the fix since people will still stumble on this message in April and won't want to read the security update (or quite understand its importance). Thanks.