CVE-2020-15704 - OpenCVE

The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ppp Ubuntu Linux

Configuration 1 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

Configuration 5 [-]

AND

cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

No data.

References

Link	Providers
http://forum.xbian.org/thread-1748-post-18231.html#pid18231
http://launchpadlibrarian.net/491880980/ppp_2.4.7-2+4.1ubuntu5_2.4.7-2+4.1ubuntu6.diff.gz
https://nvd.nist.gov/vuln/detail/CVE-2020-15704
https://ubuntu.com/security/notices/USN-4451-1
https://ubuntu.com/security/notices/USN-4451-2
https://www.cve.org/CVERecord?id=CVE-2020-15704

History

No history.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2020-08-31T23:15:14.261406Z

Updated: 2024-09-17T00:35:29.021Z

Reserved: 2020-07-14T00:00:00

Link: CVE-2020-15704

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-09-01T00:15:09.907

Modified: 2021-11-18T17:44:58.203

Link: CVE-2020-15704

Redhat

Severity :

Publid Date: 2020-08-05T00:00:00Z

Links: CVE-2020-15704 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "ppp", "vendor": "Canonical", "versions": [{"changes": [{"at": "2.4.5-5.1ubuntu2.3+esm2", "status": "unaffected"}], "lessThan": "2.4.5-5ubuntu1.4", "status": "affected", "version": "2.4.5", "versionType": "custom"}, {"changes": [{"at": "2.4.7-2+2ubuntu1.3", "status": "unaffected"}, {"at": "2.4.7-2+4.1ubuntu5.1", "status": "unaffected"}, {"at": "2.4.7-2+4.1ubuntu6", "status": "unaffected"}], "lessThan": "2.4.7-1+2ubuntu1.16.04.3", "status": "affected", "version": "2.4.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thomas Chauchefoin working with Trend Micro's Zero Day Initiative"}], "datePublic": "2020-08-04T00:00:00", "descriptions": [{"lang": "en", "value": "The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-31T23:15:14", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://ubuntu.com/security/notices/USN-4451-2"}], "source": {"advisory": "https://usn.ubuntu.com/USN-4451-1/", "discovery": "EXTERNAL"}, "title": "pppd arbitrary file read information disclosure vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-08-04T17:00:00.000Z", "ID": "CVE-2020-15704", "STATE": "PUBLIC", "TITLE": "pppd arbitrary file read information disclosure vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ppp", "version": {"version_data": [{"platform": "", "version_affected": "<", "version_name": "2.4.5", "version_value": "2.4.5-5ubuntu1.4"}, {"platform": "", "version_affected": "<", "version_name": "2.4.5", "version_value": "2.4.5-5.1ubuntu2.3+esm2"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-1+2ubuntu1.16.04.3"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-2+2ubuntu1.3"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-2+4.1ubuntu5.1"}, {"platform": "", "version_affected": "<", "version_name": "2.4.7", "version_value": "2.4.7-2+4.1ubuntu6"}]}}]}, "vendor_name": "Canonical"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Thomas Chauchefoin working with Trend Micro's Zero Day Initiative"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://ubuntu.com/security/notices/USN-4451-1", "refsource": "UBUNTU", "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"name": "https://ubuntu.com/security/notices/USN-4451-2", "refsource": "UBUNTU", "url": "https://ubuntu.com/security/notices/USN-4451-2"}]}, "solution": [], "source": {"advisory": "https://usn.ubuntu.com/USN-4451-1/", "defect": [], "discovery": "EXTERNAL"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:22:30.747Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://ubuntu.com/security/notices/USN-4451-2"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-15704", "datePublished": "2020-08-31T23:15:14.261406Z", "dateReserved": "2020-07-14T00:00:00", "dateUpdated": "2024-09-17T00:35:29.021Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "E60D6693-6626-4A52-9850-0C4B1B6832B3", "versionEndExcluding": "2.4.7-1\\+ubuntu1.16.04.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B437B873-DB91-41A3-908F-2F96CD4442B7", "versionEndExcluding": "2.4.7-2\\+2ubuntu1.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B11FD69C-C04C-4021-9B6F-4332452438FF", "versionEndExcluding": "2.4.7-2\\+4.1ubuntu5.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEFE769D-23DE-424A-805E-FB365889AA83", "versionEndExcluding": "2.4.5-5ubuntu1.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ppp:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CB91908-008C-478D-B667-5C1BC8B75C93", "versionEndExcluding": "2.4.5-5.1ubuntu2.3\\+esm2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504."}, {"lang": "es", "value": "El proceso hijo modprobe en el archivo de parche ./debian/patches/load_ppp_generic_if_needed manej\u00f3 incorrectamente la carga del m\u00f3dulo. Un atacante local que no sea root podr\u00eda explotar la variable de entorno MODPROBE_OPTIONS para leer archivos root arbitrarios. Corregido en las versiones 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Fue ZDI-CAN-11504"}], "id": "CVE-2020-15704", "lastModified": "2021-11-18T17:44:58.203", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-09-01T00:15:09.907", "references": [{"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4451-1"}, {"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://ubuntu.com/security/notices/USN-4451-2"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{"bugzilla": {"description": "ppp: Privilege escalation through loading of arbitrary kernel modules and other programs", "id": "1866491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866491"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-552", "details": ["The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.", "A flaw in the Linux ppp daemon functionality was found in the way possibility of unexpected loading ppp_generic module during ppp daemon startup."], "name": "CVE-2020-15704", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2020-08-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15704\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15704\nhttp://forum.xbian.org/thread-1748-post-18231.html#pid18231\nhttp://launchpadlibrarian.net/491880980/ppp_2.4.7-2+4.1ubuntu5_2.4.7-2+4.1ubuntu6.diff.gz"], "statement": "Red Hat Product Security does not consider this to be a vulnerability in a Red Hat product as this issue resides in Ubuntu specific patch.\nMoreover, the described problem that ppp daemon can load module ppp_generic on startup, and this considered to be potentially dangerous, because user can install fake ppp_generic module instead of real. However, only user with high privileges can install new ppp_generic module to correct path for modprobe, so if user have high privileges, then he can load any module he wants anyway."}