Description
Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD 2.0 through 4.0 beta before 20060823, and OpenBSD 3.8 and 3.9 before 20060902 allows remote attackers to cause a denial of service (panic), obtain sensitive information, and possibly execute arbitrary code via crafted Link Control Protocol (LCP) packets with an option length that exceeds the overall length, which triggers the overflow in (1) pppoe and (2) ippp. NOTE: this issue was originally incorrectly reported for the ppp driver.
References (10)
Core 10
Core References
Various Sources x_refsource_misc
http://security.FreeBSD.org/patches/SA-06:18/ppp4x.patch
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/19684
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/28562
Vendor Advisory vendor-advisory
x_refsource_freebsd
http://security.FreeBSD.org/advisories/FreeBSD-SA-06:18.ppp.asc
Patch vendor-advisory
x_refsource_openbsd
http://www.openbsd.org/errata38.html#sppp
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21731
Vendor Advisory vendor-advisory
x_refsource_netbsd
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-019.txt.asc
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1016745
Patch vendor-advisory
x_refsource_openbsd
http://www.openbsd.org/errata.html#sppp
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21587
Scores
EPSS
0.0562
EPSS Percentile
90.4%
Details
Status
published
Products (11)
freebsd/freebsd
4.11
freebsd/freebsd
5.3
freebsd/freebsd
5.4
freebsd/freebsd
5.5
freebsd/freebsd
6.0
freebsd/freebsd
6.1
netbsd/netbsd
2.0
netbsd/netbsd
3.0
netbsd/netbsd
4.0
openbsd/openbsd
3.8
... and 1 more
Published
Aug 24, 2006
Tracked Since
Feb 18, 2026