Multiple critical vulnerabilities found in OpenBSD

Web application security researchers at security firm Qualys Research Labs have reported multiple vulnerabilities in the OpenBSD operating system authentication system. The OpenBSD developer team has already confirmed the existence of the flaws, and some fixes were also revealed within 48 hours of recognition.

In total, researchers found four
vulnerabilities that have already been identified with a CVE key:

  • CVE-2019-19521:
    It is an authentication bypass flaw in the OpenBSD
    system; although it can be exploited remotely in smtpd, ldapd and radiusd, its
    actual impact in the wild must be analyzed individually
  • CVE-2019-19520:
    This is a local privilege escalation vulnerability using “xlock”; in
    OpenBSD, /usr/X11R6/bin/xlock is installed by default and is set-group-ID
    “auth”, not set-user-ID; therefore, the next verification remains
    incomplete and issetugid() should be used instead, mention the web application
    security experts
  • CVE-2019-19522:
    It’s an escalation of local privileges flaw through “S/Key” and
    “YubiKey”: If the S/Key or YubiKey authentication type is enabled
    (both are installed but disabled by default), a local attacker could exploit
    the privileges of the “auth” group to get all the privileges of the
  • CVE-2019-19519:
    It is a vulnerability to escalate local privileges through “your”. In
    this case, a local attacker could exploit the -L option of “your” to
    log into the system with another type of login

Qualys has issued QID 38774 for Qualys
Vulnerability Management that covers authentication vulnerabilities in OpenBSD.
This QID is included in the signature version VULNSIGS-2.4.762-6. This
detection includes remote and authenticated checks:

  • Remote:
    This detection sends a payload specifically designed through LDAP and SMTP
    services to authenticate using “-schallenge” remotely
  • Authenticated
    (OpenBSD): Run the command “syspatch -l” to verify the presence of
    patches applied on the system

Qualys users can scan their network with QID
38774 to detect vulnerable assets and implement available fixes as soon as
possible to effectively prevent any risk of exploitation.

To fix these flaws, web application security
specialists at the International Institute for Cyber Security (IICS) recommend
applying the latest patches for OpenBSD 6.5 and OpenBSD 6.6.

Click to comment

You must be logged in to post a comment Login

Leave a Reply

To Top

Pin It on Pinterest

Share This