OpenBSD, a celebrated open-source operating system designed with a focus on security, has recently been identified as vulnerable to four critical security flaws. Among these, one particularly notable vulnerability is an authentication bypass issue within the BSD Auth framework.
The remaining three vulnerabilities are related to privilege escalation, potentially enabling local users or malicious entities to acquire elevated privileges, including those associated with the auth group and root access, as well as those of other users.
These vulnerabilities were uncovered and reported by Qualys Research Labs earlier this week. The swift response from OpenBSD developers resulted in the release of security patches for version 6.5 and 6.6 within approximately 40 hours of the report.
In this context, it is essential to examine the specific security flaws to understand their implications and risks. The first of these vulnerabilities, identified as CVE-2019-19521, pertains to an authentication bypass that arises from the way OpenBSD’s authentication framework interprets usernames during login attempts via services such as smtpd, ldapd, radiusd, su, or sshd.
Utilizing this vulnerability, a remote attacker could potentially access affected services by supplying a username formatted as “-schallenge” or “-schallenge: passwd.” This misinterpretation occurs because a leading hyphen tricks OpenBSD into handling the input as a command-line option rather than a username—ultimately circumventing the authentication process.
According to the researchers, this weakness can be exploited particularly in the smtpd, ldapd, and radiusd services, though sshd and su have defense-in-depth mechanisms that complicate successful exploitation.
Additionally, the set of vulnerabilities includes three local privilege escalation flaws, detailed below. The first, CVE-2019-19520, arises from improper handling of environment-provided paths in dlopen(), permitting local attackers using the Xlock utility, a default installation on OpenBSD, to escalate their privileges to that of the auth group. The second, CVE-2019-19522, involves faulty authorization mechanisms related to “S/Key” and “YubiKey,” allowing a local attacker already in the auth group to gain full root privileges. The third, CVE-2019-19519, results from a logical error within one of the primary functions of su, enabling a local attacker to obtain access to any user’s login class, usually excluding root, by leveraging the -L option.
In light of these findings, Qualys has published proof-of-concept exploits for each vulnerability in its advisory. OpenBSD users are urged to apply the available patches through the syspatch mechanism to mitigate the risks associated with these vulnerabilities.
Given the nature of these security flaws, it is vital for business owners to remain informed and proactive. The vulnerabilities outlined pertain to adversary tactics such as initial access and privilege escalation, as defined in the MITRE ATT&CK framework, emphasizing the need for robust security measures across systems. Monitoring and timely patching remain critical elements in the defense against potential cyber threats, especially for systems like OpenBSD that are commonly employed in sensitive and critical environments.