Multiple Vulnerabilities - Accel-PPP v1.12 (CVE-2022-24704, CVE-2022-24705)

CVE ID

CVE-2022-24704

CVE-2022-24705

Description

Multiple buffer overflow vulnerabilities in Accel-PPP v1.12.

Tested Versions

Accel-PPP v1.12

Details

There exists two separate buffer overflow vulnerabilities in Accel-PPP v1.12. Accel PPP is a high performance VPN server application for linux. Its goal is aggregation of various popular VPN techniques to a single application.

CVE-2022-24704: When parsing a specifically crafted file, it is possible to cause a memory corruption. This is due to a buffer overflow during a memcpy function. The rad_packet_recv function in opt/src/accel-pppd/radius/packet.c suffers from a buffer overflow vulnerability, whereby user input len is copied into a fixed buffer &attr->val.integer without any bound checks. If the client connects to the server and sends a large radius packet, a buffer overflow vulnerability will be triggered.

CVE-2022-24705: When parsing a specifically crafted file, it is possible to cause a memory corruption. This is due to a buffer overflow during a memcpy function. The rad_packet_recv function in radius/packet.c suffers from a memcpy buffer overflow, resulting in an overly-large recvfrom into a fixed buffer that causes a buffer overflow and overwrites arbitrary memory. If the server connects with a malicious client, crafted client requests can remotely trigger this vulnerability.

Timeline

  • 2021-12-27 - Vendor Disclosure
  • 2021-12-29 - Vendor Patched
  • 2022-02-10 - Public Release

Credit

Discovered by Eugene Lim, Chloe Ong, Kar Wei Loh of Govtech.