Researchers from Qualys have discovered four different vulnerabilities in OpenBSD that developers have now patched. These include some serious security flaws leading to authentication bypass and local privilege escalation.
Authentication Bypass Flaw
The most important of the OpenBSD vulnerabilities is the authentication bypass flaw CVE-2019-19521. The vulnerability existed in the authentication system making it prone to remote attacks. Nonetheless, the vulnerability did not affect all systems alike.
Describing the vulnerability in an advisory, the researchers stated,
This vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
To demonstrate their observation, the researchers have also shared case studies in their advisory.
Other OpenBSD Vulnerabilities
In addition to the above, Qualys researchers also found three other vulnerabilities in OpenBSD. A local attacker could exploit these bugs to gain escalated privileges of an ‘auth’ group, root access, or other user access. It was even possible to exploit the bugs via malware.
These vulnerabilities include,
- CVE-2019-19520: Local privilege escalation via xlock
- CVE-2019-19522: Local privilege escalation via S/Key and YubiKey
- CVE-2019-19519: Local privilege escalation via su
Upon discovering the bugs, researchers reported the matter to OpenBSD developers who promptly addressed their report. After the release of the fixes, the researchers disclosed their findings for the users.
Qualys has also appreciated the quick resolution of the matter (within 40 hours) from the developers’ end.
We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published patches for these vulnerabilities less than 40 hours after our initial contact.
Patches for both OpenBSD 6.5 and OpenBSD 6.6 are now available. Users of these systems should ensure they update their devices with patches to stay protected.
Let us know your thoughts in the comments.