<![CDATA[A 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack]]>

<![CDATA[A 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack]]>

OpenBSD's sppp_pap_input function used attacker-controlled length fields as the bcmp comparison length for credential validation. Sending zero-length name and password fields caused bcmp to return 0 unconditionally, bypassing PAP authentication entirely. The vulnerability was introduced in 1999 and survived for 27 years before being fixed.

https://blog.argus-systems.ai/blog/openbsd-pap-27-year-auth-bypass.html

]]>https://billboard.bsd.cafe/topic/254/a-27-year-old-authentication-bypass-in-openbsd-s-ppp-stackRSS for NodeWed, 17 Jun 2026 18:55:57 GMTWed, 17 Jun 2026 06:57:27 GMT60<![CDATA[Reply to A 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack on Wed, 17 Jun 2026 17:09:45 GMT]]>

… The code originated from FreeBSD, which itself derived it from Cronyx Engineering Ltd.'s implementation written by Serge Vakulenko in 1994-1996. …

I assume that FreeBSD is not affected.

]]>https://billboard.bsd.cafe/post/707https://billboard.bsd.cafe/post/707Wed, 17 Jun 2026 17:09:45 GMT