OpenBSD 6.6 Multiple Authentication Bypass Vulnerabilities

critical Nessus Plugin ID 134384

Synopsis

The remote host is missing vendor-supplied security patches.

Description

The remote OpenBSD host is version 6.6 and missing security patches. It is, therefore, affected by multiple vulnerabilities:
- In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c. (CVE-2019-19519)
- xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
(CVE-2019-19520)
- libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c). (CVE-2019-19521)
- OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root. (CVE-2019-19522)

Solution

Apply the latest OpenBSD security patches using the syspatch command. Alternatively, compile and apply the patches from source

See Also

http://www.nessus.org/u?a02bd4a6

https://openbsd.org/errata66.html

Plugin Details

Severity: Critical

ID: 134384

File Name: openbsd_auth_bypass.nbin

Version: 1.201

Type: local

Family: Misc.

Published: 1/6/2020

Updated: 11/6/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-19521

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:openbsd:openbsd

Required KB Items: Host/uname

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/8/2019

Vulnerability Publication Date: 12/4/2019

Reference Information

CVE: CVE-2019-19519, CVE-2019-19520, CVE-2019-19521, CVE-2019-19522