A critical flaw has been identified in the OpenBSD networking stack, allowing attackers to bypass its Password Authentication Protocol (PAP) entirely. This vulnerability, present since 1999, was recently disclosed and poses significant security risks.
Vulnerability Details
The issue is located in the sppp_pap_input() function of OpenBSD’s sppp(4) subsystem, which is responsible for handling synchronous PPP links within PPPoE connections. During the authentication phase using PAP, user credentials are meant to be verified before a network session is established. However, a fundamental flaw in this logic has persisted since its inception.
The vulnerability arises from improper management of length fields during credential validation. The function bcmp() was used for comparing username and password fields, relying on lengths directly from incoming PAP frames. Zero-length credentials could bypass these checks, resulting in unauthorized access.
Impact and Exploitation
This flaw allows attackers to completely bypass authentication, gaining access to PPP sessions without valid credentials. A related risk involves kernel heap overreads, as the bcmp() function could read beyond allocated memory when handling oversized credentials, exposing adjacent data.
The vulnerability is accessible through the PPPoE data path, requiring no valid credentials. An attacker, running a rogue PPPoE server within the same broadcast domain, can exploit this weakness to masquerade as a legitimate server. This enables full session establishment, including IP configuration and ICMP communication, demonstrating the exploit’s feasibility.
Resolution and Recommendations
The original code came from FreeBSD, with the flaw remaining unnoticed for 27 years despite various updates. A fix has been implemented, mirroring safer patterns from the CHAP handler by incorporating exact-length pre-checks before any bcmp() calls. These checks prevent zero-length and oversized inputs from being processed.
According to Argus, the vulnerability was disclosed on June 12, 2026, and a patch was released within two days. Organizations utilizing OpenBSD, especially where PPPoE authentication is critical, should apply the latest patches promptly to mitigate potential threats.
This incident underscores the importance of regular security audits and updates to prevent legacy vulnerabilities from being exploited.
