Web application security researchers at security firm Qualys Research Labs have reported multiple vulnerabilities in the OpenBSD operating system authentication system. The OpenBSD developer team has already confirmed the existence of the flaws, and some fixes were also revealed within 48 hours of recognition.
In total, researchers found four
vulnerabilities that have already been identified with a CVE key:
It is an authentication bypass flaw in the OpenBSD
system; although it can be exploited remotely in smtpd, ldapd and radiusd, its
actual impact in the wild must be analyzed individually
This is a local privilege escalation vulnerability using “xlock”; in
OpenBSD, /usr/X11R6/bin/xlock is installed by default and is set-group-ID
“auth”, not set-user-ID; therefore, the next verification remains
incomplete and issetugid() should be used instead, mention the web application
It’s an escalation of local privileges flaw through “S/Key” and
“YubiKey”: If the S/Key or YubiKey authentication type is enabled
(both are installed but disabled by default), a local attacker could exploit
the privileges of the “auth” group to get all the privileges of the
It is a vulnerability to escalate local privileges through “your”. In
this case, a local attacker could exploit the -L option of “your” to
log into the system with another type of login
Qualys has issued QID 38774 for Qualys
Vulnerability Management that covers authentication vulnerabilities in OpenBSD.
This QID is included in the signature version VULNSIGS-2.4.762-6. This
detection includes remote and authenticated checks:
This detection sends a payload specifically designed through LDAP and SMTP
services to authenticate using “-schallenge” remotely
(OpenBSD): Run the command “syspatch -l” to verify the presence of
patches applied on the system
Qualys users can scan their network with QID
38774 to detect vulnerable assets and implement available fixes as soon as
possible to effectively prevent any risk of exploitation.
To fix these flaws, web application security
specialists at the International Institute for Cyber Security (IICS) recommend
applying the latest patches for OpenBSD 6.5 and OpenBSD 6.6.