The developers of the open operating system OpenBSD eliminated four vulnerabilities of authorization tools, which allowed bypassing protection mechanisms and increase privileges on the target machine. Although at the time of publication, the bugs did not receive a threat rating on the CVSS scale, however, experts have no doubt about the practical use of exploits.
OpenBSD, an open-source multi-platform OS, provides many elements of the IT infrastructure that require additional protection. Information security was one of the key priorities for the creators of the system, so OpenBSD is often used to manage firewalls, mail and Internet servers.
Qualys experts reported the discovery of new bugs to developers.
“OpenBSD, an open-source operating system built with security in mind, has been found vulnerable to four new high-severity security vulnerabilities, one of which is an old-school type authentication bypass vulnerability in BSD Auth framework”, — write Qualys specialists.
The most serious bug (CVE-2019-19521) is contained in the OpenBSD authorization framework. The researchers found that if you add a hyphen to the username, the program perceives this combination of characters as a command. This allowed experts to penetrate the system, bypassing password verification.
Read also: Google released December patches for Android, which fixed dozens of vulnerabilities
The method works in smtpd, ldapd and radiusd services. Sshd and su provide additional security mechanisms that block the connection when authentication is bypassed.
Other vulnerabilities can be used after penetration into the system to obtain additional rights:
- CVE-2019-19520 was detected in the xlock component, which is part of the basic system configuration. An access path management error allows an attacker to elevate privileges to a group level.
- CVE-2019-19522is associated with the work of the S / Key and YubiKey authorization mechanisms, which are disabled by default, but can be reactivated by the system administrator. In the latter case, an attacker could use a bug to gain root access to the system.
- CVE-2019-19519 in one of the basic functions of the su utility that enables access to any authorization class except root access.
In 2018, researchers found an error in the OpenBSD package that remained in the code for 19 years. The vulnerability of the SSH component, which is responsible for the security of Internet connections, allowed to pick up a username when attacking web resources.
It took developers less than two days to fix the vulnerabilities that were discovered. They encourage all OpenBSD users of branches 6.5 and 6.6 to upgrade their builds. Since patches for all four security vulnerabilities are now available, affected OpenBSD users recommended to install patches using syspatch mechanism.