OpenBSD patches authentication bypass, privilege escalation vulnerabilities

The open source project took less than 40 hours to develop fixes for the bugs.

Researchers test Android's VOIP components for the first time, find eight vulnerabilities The vulnerabilities can be exploited to make unauthorized VoIP calls, spoof caller IDs, deny voice calls, and even execute malicious code on users' devices.

OpenBSD has patched four vulnerabilities including privilege escalation flaws and a remotely exploitable authentication bypass.

OpenBSD is an open source Unix operating system based on Berkeley Software Distribution (BSD) and built with security in mind. On Wednesday, Qualys Research Labs revealed the existence of four vulnerabilities in the OS that were first privately reported in the interest of responsible disclosure. 

The vulnerabilities have been assigned as CVE-2019-19522, CVE-2019-19521, CVE-2019-19520, and CVE-2019-19519.

See also: New Zealand's gun buyback scheme impacted by data breach, SAP to blame

The first bug, CVE-2019-19522, is an authentication bypass issue found in the OpenBSD's authentication protocol. The operating system relies on BSD Authentication and if an attacker specifies a particular username, it is possible to force authentication automatically without challenge. The vulnerability is remotely exploitable through smtpd, ldapd, and radiusd.

"If an attacker specifies a username of the form "-option", they can influence the behavior of the authentication program in unexpected ways," the security advisory reads.

The second security flaw, CVE-2019-19520, is a local privilege escalation problem caused by a failed check in xlock. If an attacker has local access to OpenBSD, they can obtain the privileges of set-group-ID "auth" through xlock, which is installed by default. 

CVE-2019-19522, the third bug squashed by OpenBSD, is another local privilege escalation problem found in "S/Key" and "YubiKey" functions. 

CNET: TikTok accused of secretly gathering user data and sending it to China

"If the S/Key or YubiKey authentication type is enabled (they are both installed by default but disabled), then a local attacker can exploit the privileges of the group "auth" to obtain the full privileges of the user "root"," Qualys says. 

To obtain "auth" privileges, attackers can first exploit CVE-2019-19520 as part of an attack chain.

The fourth and final vulnerability, CVE-2019-19519, was found in the "su" function. Local attackers can exploit su's "-L" option -- a software loop which continues until a correct username and password combination is entered --  to log in as themselves, but with a different login class. 

TechRepublic: How to protect computers that store biometric data from malware

After Qualys reported the security flaws, OpenBSD developers acknowledged the issues and were able to develop and publish patches in less than 40 hours. 

The fixes are now available. Users of OpenBSD 6.5 and OpenBSD 6.6 should update their builds to stay protected. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0