A long-standing vulnerability in OpenBSD’s networking stack has been disclosed, revealing that attackers can bypass PAP authentication entirely due to a decades-old logic flaw.
The issue resides in the sppp_pap_input() function within OpenBSD’s sppp(4) subsystem, which manages synchronous PPP links used in PPPoE connectivity.
During the PPP authentication phase, systems relying on the Password Authentication Protocol (PAP) validate user credentials before establishing a network session.
However, researchers found that this validation logic has been fundamentally flawed since its introduction in 1999.
27-Year-Old OpenBSD Vulnerability
The flaw stems from improper handling of attacker-controlled length fields during credential comparison.
The PAP credential validation logic compared attacker-supplied username and password fields using bcmp(), but trusted the length values taken directly from the incoming PAP frame:
cif (name_len > AUTHMAXLEN ||
passwd_len > AUTHMAXLEN ||
bcmp(name, sp->hisauth.name, name_len) != 0 ||
bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
/* authentication failed */
}
Since zero-length values pass the existing upper-bound checks, the comparison never fails, and OpenBSD incorrectly accepts the authentication request without verifying any credentials.
This effectively allows a complete authentication bypass, enabling unauthorized access to PPP sessions. A related issue arises from the same design flaw.
If an attacker supplies a length larger than the actual allocated credential size, the bcmp() function reads beyond the intended memory boundary. This results in a kernel heap overread, potentially exposing the contents of adjacent memory.
This condition became exploitable after a 2009 update replaced fixed-size buffers with dynamically allocated memory, increasing the risk of out-of-bounds access.
The vulnerability is reachable via the PPPoE data path and does not require valid credentials. An attacker operating a rogue PPPoE server within the same broadcast domain can exploit this flaw to impersonate a legitimate server.
In a successful attack scenario:
- The attacker completes PPPoE discovery and negotiation.
- Sends a PAP request with zero-length credentials.
- The OpenBSD client accepts the request and establishes a connection.
- Network traffic is routed through the attacker-controlled endpoint.
A proof-of-concept demonstrated full session establishment, including IP configuration and ICMP communication, confirming the exploit’s real-world feasibility.
The vulnerable code originated from FreeBSD and was initially derived from a Cronyx Engineering implementation dating back to the mid-1990s.
Despite multiple updates over the years, the flawed comparison logic remained unchanged for 27 years.
The fix mirrors the safer pattern already present in the CHAP handler by adding exact-length pre-checks before any bcmp() call:
cif (name_len != strlen(sp->hisauth.name) ||
passwd_len != strlen(sp->hisauth.secret) ||
bcmp(name, sp->hisauth.name, name_len) != 0 ||
bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
/* authentication failed */
}
According to the Argus blog, the issue was responsibly disclosed on June 12, 2026, and fixed within two days. The patch adds strict length-validation checks to reject zero-length and oversized inputs before comparison.
Organizations using OpenBSD, particularly in environments relying on PPPoE authentication, are strongly advised to apply the latest patches immediately to prevent potential exploitation.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here
