CVE-2018-11574

Name of the Vulnerable Software and Affected Versions PPPD versions prior to the version with the fixed patch

Description The issue arises from improper input validation combined with an integer overflow in the EAP-TLS protocol implementation. This can lead to a crash, information disclosure, or authentication bypass. The affected implementation includes the eap.c and eap-tls.c files and is distributed as a patch for PPPD 0.91. Configurations using the refuse-app option are not affected.

Recommendations For PPPD versions prior to the version with the fixed patch, consider disabling the EAP-TLS protocol until a patch is available. Restrict access to the affected eap.c and eap-tls.c files to minimize the risk of exploitation. Avoid using configurations that do not include the refuse-app option in the affected PPPD versions until the issue is resolved.