A critical authentication-bypass vulnerability hiding in OpenBSD’s synchronous PPP subsystem since 1999 has been patched 27 years after the flawed code was first imported into the source tree.
The bug allowed attackers to completely bypass PAP (Password Authentication Protocol) authentication by sending zero-length credential fields, granting full network access without a single valid credential.
The flaw resided in sys/net/if_spppsubr.c, within OpenBSD’s sppp(4) subsystem, which handles PAP credential validation during PPPoE link establishment. The vulnerable logic used attacker-controlled length fields directly as the comparison size in bcmp() calls:
cif (name_len > AUTHMAXLEN ||
passwd_len > AUTHMAXLEN ||
bcmp(name, sp->hisauth.name, name_len) != 0 ||
bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
/* authentication failed */
The critical flaw is deceptively simple: bcmp(buf, ref, 0) unconditionally returns 0 regardless of buffer contents. While the upper-bound guard correctly rejected values above 255, it allowed zero to pass completely unchecked.
By sending a PAP Auth-Request with name_len=0 and passwd_len=0, both bcmp calls returned success, the failure branch was never triggered, and OpenBSD issued a PAP_ACK granting full authentication with no credentials whatsoever.
A secondary heap over-read vulnerability shared the same root cause. Supplying a name_len larger than the allocated size of sp->hisauth.name caused bcmp to read beyond the heap object, potentially leaking adjacent kernel memory.
This attack surface became viable after a February 2009 commit changed authentication fields from fixed-size struct arrays to dynamically allocated buffers, effectively decoupling allocation size from the comparison boundary.
The vulnerable code traces back to a July 1, 1999, commit that imported LMC driver code from FreeBSD, which itself was derived from Cronyx Engineering’s implementation, authored by Serge Vakulenko between 1994 and 1996.
According to researchers at Argus Systems, the zero-length bypass survived every OpenBSD release since that original import, an extraordinary lifespan for a critical authentication flaw.
Ironically, the CHAP handler in the same source file already used the correct pattern, with an exact-length pre-check before calling bcmp. The PAP handler simply never received the same treatment.
Both vulnerabilities are reachable via the PPPoE data path: pppoe_data_input → pppoeintr → sppp_input → sppp_pap_input.
An attacker operating a rogue PPPoE server within the same broadcast domain can complete the full handshake, including discovery, LCP negotiation, PAP bypass, and IPCP negotiation, to transparently intercept or manipulate the victim’s IP traffic, facilitating a man-in-the-middle attack.
Researchers verified the exploit against OpenBSD 7.6 (amd64) in a QEMU/KVM environment using a proof-of-concept script (poc-001-pap-bypass.py). The script completed full link establishment with empty PAP fields and received a confirmed ICMP echo reply through the rogue tunnel.
The fix mirrors the exact-length check already present in the CHAP handler, adding length equality checks before the bcmp comparisons to eliminate both the zero-length bypass and the heap over-read in a single correction. The patch was committed by mvs on June 14, 2026, just two days after responsible disclosure on June 12, 2026.
OpenBSD users are strongly advised to apply the latest security patches immediately, particularly systems using PPPoE connections in shared network environments.
No Comment! Be the first one.