CVE-2023-52557
📋 TL;DR
This vulnerability in OpenBSD's npppd (Point-to-Point Protocol daemon) allows remote attackers to cause a denial of service by sending specially crafted L2TP messages with malformed Attribute-Value Pairs. The daemon crashes when processing these messages with incorrect length values. This affects OpenBSD 7.3 systems running npppd before errata 016.
💻 Affected Systems
- OpenBSD npppd
📦 What is this software?
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker could crash npppd service, disrupting VPN/PPP connectivity for all users and potentially requiring manual service restart.
Likely Case
Denial of service affecting VPN/PPP connectivity on vulnerable OpenBSD systems, requiring service restart to restore functionality.
If Mitigated
Minimal impact if patched or if npppd is not exposed to untrusted networks.
🎯 Exploit Status
Exploitation requires sending malformed L2TP packets to npppd service. No authentication required. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenBSD 7.3 errata 016
Vendor Advisory: https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/016_npppd.patch.sig
Restart Required: Yes
Instructions:
1. Apply the patch from OpenBSD errata 016. 2. Restart npppd service: 'rcctl restart npppd'. 3. Verify service is running: 'rcctl check npppd'.
🔧 Temporary Workarounds
Disable L2TP in npppd
allIf L2TP functionality is not required, disable it in npppd configuration to prevent exploitation.
Edit /etc/npppd/npppd.conf and remove or comment L2TP configuration
Restart npppd: rcctl restart npppd
Network segmentation
allRestrict network access to npppd service using firewall rules to trusted sources only.
pfctl -t trusted_hosts -T add <trusted_ip>
Add rule to /etc/pf.conf: pass in proto udp from <trusted_hosts> to port 1701
🧯 If You Can't Patch
- Implement firewall rules to restrict access to npppd UDP port 1701 to trusted networks only.
- Monitor npppd service health and implement automatic restart if crashes are detected.
🔍 How to Verify
Check if Vulnerable:
Check OpenBSD version and patch level: 'sysctl kern.version'. If output shows '7.3' without errata 016 applied, system is vulnerable if npppd is running.Check Version:
sysctl kern.versionVerify Fix Applied:
Verify patch applied: 'sysctl kern.version' should show errata 016. Check npppd is running: 'rcctl check npppd'.📡 Detection & Monitoring
Log Indicators:
- npppd crash logs in /var/log/messages or /var/log/daemon
- Unexpected npppd service restarts
Network Indicators:
- Unexpected L2TP packets to port 1701 from untrusted sources
- Spike in malformed L2TP packets
SIEM Query:
source="npppd" AND ("crash" OR "segfault" OR "panic")🔗 References
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/016_npppd.patch.sig
- https://github.com/openbsd/src/commit/abf3a29384c582c807a621e7fc6e7c68d0cafe9b
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/016_npppd.patch.sig
- https://github.com/openbsd/src/commit/abf3a29384c582c807a621e7fc6e7c68d0cafe9b
