27-Year-Old OpenBSD Vulnerability Exposes PPPoE Authentication Bypass
A critical vulnerability in OpenBSD’s networking stack, present since 1999, has been disclosed, allowing attackers to bypass Password Authentication Protocol (PAP) entirely. The flaw resides in the sppp_pap_input() function within the sppp(4) subsystem, which handles synchronous PPP links used in PPPoE connectivity.
The issue stems from improper handling of attacker-controlled length fields during credential validation. OpenBSD’s PAP logic trusted length values from incoming PAP frames, enabling authentication bypass if zero-length credentials were supplied. Additionally, oversized length values could trigger a kernel heap overread, exposing adjacent memory a risk introduced after a 2009 update replaced fixed-size buffers with dynamic allocations.
Exploitation requires no valid credentials; an attacker operating a rogue PPPoE server within the same broadcast domain can impersonate a legitimate server. A proof-of-concept confirmed full session establishment, including IP configuration and ICMP communication.
The vulnerable code originated from FreeBSD and traces back to a mid-1990s Cronyx Engineering implementation. Despite multiple updates, the flawed comparison logic remained unchanged for 27 years. The fix, disclosed responsibly on June 12, 2026, adds strict length-validation checks to reject zero-length and oversized inputs before comparison. OpenBSD patched the issue within two days. Organizations using OpenBSD in PPPoE environments are urged to apply the latest updates.
Source: https://cybersecuritynews.com/27-year-old-openbsd-vulnerability/
OpenBSD cybersecurity rating report: https://www.rankiteo.com/company/openbsd
"id": "OPE1781720855",
"linkid": "openbsd",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using OpenBSD in '
'PPPoE environments',
'industry': 'Technology/Software',
'name': 'OpenBSD',
'type': 'Operating System'}],
'attack_vector': 'Rogue PPPoE server within the same broadcast domain',
'date_publicly_disclosed': '2026-06-12',
'date_resolved': '2026-06-14',
'description': 'A critical vulnerability in OpenBSD’s networking stack, '
'present since 1999, has been disclosed, allowing attackers to '
'bypass Password Authentication Protocol (PAP) entirely. The '
'flaw resides in the *sppp_pap_input()* function within the '
'*sppp(4)* subsystem, which handles synchronous PPP links used '
'in PPPoE connectivity. The issue stems from improper handling '
'of attacker-controlled length fields during credential '
'validation, enabling authentication bypass if zero-length '
'credentials were supplied. Additionally, oversized length '
'values could trigger a kernel heap overread, exposing '
'adjacent memory. Exploitation requires no valid credentials; '
'an attacker operating a rogue PPPoE server within the same '
'broadcast domain can impersonate a legitimate server. A '
'proof-of-concept confirmed full session establishment, '
'including IP configuration and ICMP communication.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'OpenBSD and affected organizations',
'operational_impact': 'Authentication bypass leading to '
'unauthorized network access',
'systems_affected': 'OpenBSD systems using PPPoE connectivity'},
'investigation_status': 'Resolved',
'lessons_learned': 'Importance of rigorous input validation in authentication '
'protocols, especially in legacy code. Need for thorough '
'code audits to identify long-standing vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'Added strict '
'length-validation checks to '
'reject zero-length and '
'oversized inputs before '
'credential comparison.',
'root_causes': 'Improper handling of '
'attacker-controlled length fields '
'in the *sppp_pap_input()* '
'function, leading to '
'authentication bypass and kernel '
'heap overread.'},
'recommendations': 'Organizations using OpenBSD in PPPoE environments should '
'apply the latest updates immediately. Conduct code audits '
'to identify similar vulnerabilities in legacy systems.',
'references': [{'source': 'OpenBSD Security Advisory'}],
'response': {'communication_strategy': 'Responsible disclosure on June 12, '
'2026',
'containment_measures': 'Strict length-validation checks added '
'to reject zero-length and oversized '
'inputs',
'remediation_measures': 'Patch released to fix the vulnerability '
'in the *sppp_pap_input()* function'},
'stakeholder_advisories': 'Organizations urged to apply the latest OpenBSD '
'updates.',
'title': '27-Year-Old OpenBSD Vulnerability Exposes PPPoE Authentication '
'Bypass',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-XXXX (not explicitly mentioned, but '
'implied as a critical vulnerability)'}