OpenBSD has patched four vulnerabilities including privilege escalation flaws and a remotely exploitable authentication bypass.
OpenBSD is an open source Unix operating system based on Berkeley Software Distribution (BSD) and built with security in mind. On Wednesday, Qualys Research Labs revealed the existence of four vulnerabilities in the OS that were first privately reported in the interest of responsible disclosure.
The vulnerabilities have been assigned as CVE-2019-19522, CVE-2019-19521, CVE-2019-19520, and CVE-2019-19519.
The first bug, CVE-2019-19522, is an authentication bypass issue found in the OpenBSD's authentication protocol. The operating system relies on BSD Authentication and if an attacker specifies a particular username, it is possible to force authentication automatically without challenge. The vulnerability is remotely exploitable through smtpd, ldapd, and radiusd.
"If an attacker specifies a username of the form "-option", they can influence the behavior of the authentication program in unexpected ways," the security advisory reads.
The second security flaw, CVE-2019-19520, is a local privilege escalation problem caused by a failed check in xlock. If an attacker has local access to OpenBSD, they can obtain the privileges of set-group-ID "auth" through xlock, which is installed by default.
CVE-2019-19522, the third bug squashed by OpenBSD, is another local privilege escalation problem found in "S/Key" and "YubiKey" functions.
"If the S/Key or YubiKey authentication type is enabled (they are both installed by default but disabled), then a local attacker can exploit the privileges of the group "auth" to obtain the full privileges of the user "root"," Qualys says.
To obtain "auth" privileges, attackers can first exploit CVE-2019-19520 as part of an attack chain.
The fourth and final vulnerability, CVE-2019-19519, was found in the "su" function. Local attackers can exploit su's "-L" option -- a software loop which continues until a correct username and password combination is entered -- to log in as themselves, but with a different login class.
After Qualys reported the security flaws, OpenBSD developers acknowledged the issues and were able to develop and publish patches in less than 40 hours.
Previous and related coverage
- Attackers using WhatsApp MP4 video files vulnerability can remotely execute code
- McAfee antivirus software impacted by code execution vulnerability
- Researchers disclose DLL loading vulnerabilities in Autodesk, Trend Micro, Kaspersky software
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0