OpenBSD addresses authentication bypass, privilege escalation issues

Experts from Qualys Research Labs discovered four high-severity security flaws in OpenBSD, one of which is a type authentication bypass issue.

Researchers from Qualys Research Labs discovered four high-severity security vulnerabilities in OpenBSD, a type authentication bypass issue and three privilege escalation bugs.

The three issued could be exploited by local users or malware to gain privileges of anauth group, root, as well as of other users, respectively.

The OpenBSD development team addressed the flaws less than two days after they were reported by the experts by releasing security patches for OpenBSD 6.5 and OpenBSD 6.6.

The first OpenBSD vulnerability, an authentication bypass issue tracked as CVE-2019-19521, affects the way OpenBSD’s authentication framework parses the username supplied by a user while logging in through smtpd, ldapd, radiusd, su, or sshd services.

“We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.” reads the security advisory published by the experts.

A remote attacker could exploit this vulnerability to access vulnerable services by entering the username as “-schallenge” or “-schallenge: passwd.” The ‘-‘ symbol prefixed to the username tricks OpenBSD into interpreting the value as a command-line option.

The “-schallenge” is interpreted as “-s challenge” and forces the system into ignoring the challenge protocol that eventually allows to bypass the authentication automatically.

“If an attacker specifies a username of the form ‘-option’, they can influence the behavior of the authentication program in unexpected ways,” continues the advisory.

The flaw is exploitable in smtpd, ldapd, and radiusd, but not in sshd or su because the presence of the defense-in-depth mechanisms that hang the connection even after successful authentication bypass.

The second vulnerability tracked as CVE-2019-19520 is a local privilege escalation issue caused by a failed check in xlock. A local attacker can trigger the issue to obtain the privileges of set-group-ID “auth” through xlock, which is installed by default. 

The third issue trackers as CVE-2019-19522 is an authentication bypass issue found in the OpenBSD’s authentication protocol.

A local attacker with ‘auth‘ group permission can gain full privileges of the root user due to the incorrect operation of authorization mechanisms via “S/Key” and “YubiKey.” (“which is a non-default configuration“)

The last issue tracked as CVE-2019-19519 is caused by a logical error in one of the su’s primary functions, that could be exploited by a local attacker to achieve any user’s login class, often excluding root, by exploiting su’s -L option.

The experts released PoC exploits for each vulnerability in the advisory, OpenBSD users are recommended to install the security patches using syspatch mechanism.

Pierluigi Paganini

(SecurityAffairs – OpenBSD, hacking)

Share On