L2TP & PPP protocols causing an Mpd5 crash

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2023-017	CVE-2020-7466 , CVE-2020-7465	01/01/2023	low	v1

Vulnerability details

PPP and L2TP protocol implementation are subject to a memory corruption vulnerability that could lead to a crash of Mpd5 daemon. It could also lead to a potential RCE in the case of L2TP.

Impacted products

Products	Severity	Detail
Stormshield Network Security	low	SNS is impacted

Revisions

Version	Date	Description
v1	04/11/2023	Reserved Publication
v2	05/25/2023	Updated and disclosed

Stormshield Network Security

CVSS v3.1 Overall Score: 3

Analysis

Impacted version

An attacker needs to inject crafted packets between dial-in and dial-out in order to trigger a crash of Mpd5 daemon or an RCE. In the case of PPP the crafted message is an authentication message and in the case of L2TP it’s a control packet.

SNS 4.0.0 to 4.3.16
SNS 4.4.0 to 4.5.0

Workaround solution

Solution

There is no workaround solution.

The following versions fix this vulnerability

4.3.17
4.5.0

Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability impact
Adjacent Network	High	None	None	Unchanged	None	Low	Low

CVSS Base score: 4.2	CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

Exploit Code Maturity	Remediation Level	Report Confidence
Unproven that exploit exists	Official fix	Reasonable

CVSS Temporal score: 3.5	CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:R)

Confidentiality Requirement	Integrity Requirement	Availability Requirement
Low	Low	Medium

CVSS Environmental score: 3	CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)