Multiple critical vulnerabilities found in OpenBSD

Web application security researchers at security firm Qualys Research Labs have reported multiple vulnerabilities in the OpenBSD operating system authentication system. The OpenBSD developer team has already confirmed the existence of the flaws, and some fixes were also revealed within 48 hours of recognition.

In total, researchers found four vulnerabilities that have already been identified with a CVE key:

  • CVE-2019-19521: It is an authentication bypass flaw in the OpenBSD system; although it can be exploited remotely in smtpd, ldapd and radiusd, its actual impact in the wild must be analyzed individually
  • CVE-2019-19520: This is a local privilege escalation vulnerability using “xlock”; in OpenBSD, /usr/X11R6/bin/xlock is installed by default and is set-group-ID “auth”, not set-user-ID; therefore, the next verification remains incomplete and issetugid() should be used instead, mention the web application security experts
  • CVE-2019-19522: It’s an escalation of local privileges flaw through “S/Key” and “YubiKey”: If the S/Key or YubiKey authentication type is enabled (both are installed but disabled by default), a local attacker could exploit the privileges of the “auth” group to get all the privileges of the user”root”
  • CVE-2019-19519: It is a vulnerability to escalate local privileges through “your”. In this case, a local attacker could exploit the -L option of “your” to log into the system with another type of login

Qualys has issued QID 38774 for Qualys Vulnerability Management that covers authentication vulnerabilities in OpenBSD. This QID is included in the signature version VULNSIGS-2.4.762-6. This detection includes remote and authenticated checks:

  • Remote: This detection sends a payload specifically designed through LDAP and SMTP services to authenticate using “-schallenge” remotely
  • Authenticated (OpenBSD): Run the command “syspatch -l” to verify the presence of patches applied on the system

Qualys users can scan their network with QID 38774 to detect vulnerable assets and implement available fixes as soon as possible to effectively prevent any risk of exploitation.

To fix these flaws, web application security specialists at the International Institute for Cyber Security (IICS) recommend applying the latest patches for OpenBSD 6.5 and OpenBSD 6.6.