A 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack

16 points by fro

rcoder

Oh no! It’s a bug in PPP authentication in 2026.

Allow me to go update all of the affected systems I…or at least inform the people I know who…or at least look for relevant…

Okay, no, this is about as close to a useless security finding as I can imagine. And yet, untold amounts of compute (and energy, water, labor, etc.) were expended in creating this report.

/me sighs

fazalmajid

There still are stick-in-the-mud ISPs requiring PPPoE, like my Vodafone/OpenReach VDSL service in the UK just a few years ago, and given OpenBSD's prevalence as a router OS, it's not completely marginal, but yes, it would be PPPoE as a client, not as a server, and thus difficult or impossible to exploit.

Reminds me of my friend Jason saying "ATM is the crack pipe of the Bellhead". PPPoE, even more so.
- vpr
  
  I know of at least a major ISP in Canada who still uses PPPoE (a friend bought special SFP PONs to bypass their router).
  
  GP's reaction saddens me. Both the lack of knowledge and research (just assuming these technologies are not used anywhere, without so much as a single search) and the sheer anti-intellectualism of "why should anyone care about this/keep maintaining it". Security in legacy codepaths matter.
  - atmosx
    
    The irony is that they (supposedly) whine about entropy, so they decided to create more of it…
    
    My ISP uses PPPoE (MAP-E) which is a relatively new tech that is being rollout to quite a few big ISPs in many “western” countries so…
- davidbalbert
  
  At work we use PPP to do IP over serial in situations where Ethernet isn't available. Surprisingly common I think.