Urgent update to repair the critical PPP daemon flaw in GL.iNet OpenWrt routers

The vulnerability is tracked as CVE-2020–8597.

According to Hacker News, a critical PPP daemon flaw can open most Linux systems to remote hackers. Users with affected operating systems and devices are advised to apply security patches as soon as possible, or when it becomes available.

Currently, we patched the flaw via updating the related plug-ins for these GL.iNet routers:

  • GL-AR750S (Slate)
  • GL-AR750/GL-AR750-PoE (Creta)
  • GL-AR300M/GL-AR300M-Ext/GL-AR300M16/GL-AR300M16-Ext/GL-AR300M-Lite (Shadow)
  • GL-AR150/GL-AR150-Ext/GL-AR150-PoE/GL-AR150-PoE-Ext (White)
  • GL-MiFi
  • GL-X750 (Spitz)
  • GL-E750 (Mudi)
  • GL-MT300N-V2 (Mango)
  • GL-B1300 (Convexa-B)
  • GL-S1300 (Convexa-S)
  • GL-MV1000 (Brume)
  • GL-X1200 (Amarok)
  • GL-USB150 (Microuter)
  • Microuter N300 / Vixmini

Check the bottom label of your router to make sure the module name. You can get your router patched by following the steps as below,

A) Update Plug-in library in our web Admin Panel

Update Plug-in library

B) Uninstall the old plug-in called “ppp” and “ppp-mod-pppoe” with version 2.4.7–12

Uninstall the plug-in ppp

C) Install the plug-in called “ppp” and “ppp-mod-pppoe” with new version 2.4.7–13

Install the plug-in ppp

The vulnerability, tracked as CVE-2020–8597 with CVSS Score 9.8, can be exploited by unauthenticated attackers to remotely execute arbitrary code on affected systems and take full control over them. We urge you to follow above steps to patch the flaw as soon as possible. For more information, you can email to support@gl-inet.com or post on our forum.

About GL.iNet

We are a leading developer of OpenWRT pre-installed wireless routers and world-class solution providers, offering quality services of smart cities, data privacy protection, and enterprise IoT. We partner with like-minded companies around the globe to provide phenomenal products and services. We aim to build a smarter lifestyle.