CVE-2020-28194 – This CVE describes an integer underflow vulnera... (How to Fix)

Q: What is the severity of CVE-2020-28194?

CVE-2020-28194 has a CVSS score of 9.8 (CRITICAL). This CVE describes an integer underflow vulnerability in accel-ppp's RADIUS packet processing that allows arbitrary code execution when an attacker-controlled RADIUS server sends a malformed vendor-specific attribute with a length field less than 2. Only systems running accel-ppp with RADIUS authentication enabled are affected.

📋 TL;DR

This CVE describes an integer underflow vulnerability in accel-ppp's RADIUS packet processing that allows arbitrary code execution when an attacker-controlled RADIUS server sends a malformed vendor-specific attribute with a length field less than 2. Only systems running accel-ppp with RADIUS authentication enabled are affected.

💻 Affected Systems

Products:

accel-ppp

Versions: All versions before commit e9d369aa0054312b7633e964e9f7eb323f1f3d69

Operating Systems: Linux, BSD systems where accel-ppp is deployed

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when RADIUS authentication is configured and enabled. Systems using other authentication methods or without RADIUS are not affected.

📦 What is this software?

Accel Ppp by Accel Ppp

View all CVEs affecting Accel Ppp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges leading to complete control of the accel-ppp server and potential lateral movement within the network.

🟠

Likely Case

Remote code execution leading to service disruption, credential theft, or installation of persistent backdoors on the accel-ppp server.

🟢

If Mitigated

Limited impact due to network segmentation and RADIUS server trust controls preventing attacker access to RADIUS infrastructure.

🌐 Internet-Facing: MEDIUM - Requires attacker to control a RADIUS server that the accel-ppp instance trusts, which is less common for internet-facing deployments.

🏢 Internal Only: HIGH - Internal RADIUS infrastructure is more commonly deployed and could be compromised by internal threats or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires control of a trusted RADIUS server, which adds complexity. The vulnerability itself is in memory handling and could be reliably exploited once RADIUS server access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit e9d369aa0054312b7633e964e9f7eb323f1f3d69

Vendor Advisory: https://github.com/accel-ppp/accel-ppp/security/advisories/GHSA-2m44-rh3c-x4gr

Restart Required: Yes

Instructions:

1. Update accel-ppp to version containing commit e9d369aa0054312b7633e964e9f7eb323f1f3d69 or later. 2. Rebuild from source if using source installation. 3. Restart accel-ppp service.

🔧 Temporary Workarounds

Disable RADIUS authentication

linux

Temporarily disable RADIUS authentication if not required, using alternative authentication methods

# Edit accel-ppp configuration to remove or comment RADIUS server settings
# Typically in /etc/accel-ppp.conf or similar

Network segmentation

linux

Restrict RADIUS server communication to trusted sources only

# Example iptables rule: iptables -A INPUT -p udp --dport 1812 -s TRUSTED_RADIUS_IP -j ACCEPT
iptables -A INPUT -p udp --dport 1812 -j DROP

🧯 If You Can't Patch

Implement strict network controls to ensure only authorized RADIUS servers can communicate with accel-ppp instances
Monitor RADIUS server integrity and implement additional authentication/authorization controls for RADIUS infrastructure

🔍 How to Verify

Check if Vulnerable:

Check accel-ppp version/git commit hash. If before commit e9d369aa0054312b7633e964e9f7eb323f1f3d69 and RADIUS is enabled, system is vulnerable.

Check Version:

accel-pppd --version 2>&1 | head -1

Verify Fix Applied:

Verify accel-ppp is running version with commit e9d369aa0054312b7633e964e9f7eb323f1f3d69 or later. Check that RADIUS functionality still works properly.

📡 Detection & Monitoring

Log Indicators:

Unexpected RADIUS packet parsing errors
Memory access violation logs from accel-ppp
Abnormal RADIUS server connections

Network Indicators:

Malformed RADIUS packets with vendor-specific attributes
Unusual traffic patterns from RADIUS servers

SIEM Query:

source="accel-ppp" AND (error OR memory OR crash) AND radius

📊 Metadata

CVE ID: CVE-2020-28194

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-191

Published: February 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/accel-ppp/accel-ppp/commit/e9d369aa0054312b7633e964e9f7eb323f1f3d69 Patch,Third Party Advisory
https://github.com/accel-ppp/accel-ppp/security/advisories/GHSA-2m44-rh3c-x4gr Patch,Third Party Advisory
https://github.com/accel-ppp/accel-ppp/commit/e9d369aa0054312b7633e964e9f7eb323f1f3d69 Patch,Third Party Advisory
https://github.com/accel-ppp/accel-ppp/security/advisories/GHSA-2m44-rh3c-x4gr Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28194, you might also want to check these: