An authentication bypass and three local privilege-escalation (LPE) bugs have been uncovered in OpenBSD, the Unix-like open-source operating system known for its security protections.
The most severe of the vulnerabilities is the bypass (CVE-2019-19521), which is remotely exploitable.
OpenBSD uses BSD authentication, which enables the use of passwords, S/Key challenge-and-response authentication and Yubico YubiKey tokens. In each of these cases, to perform the authentication, the string “/usr/libexec/auth/login_style [-v name=value] [-s service] username class” is used. If an attacker specifies the username “-schallenge” (or “-schallenge:passwd,” the authentication is automatically successful and therefore bypassed.
That said, “Its real-world impact should be studied on a case-by-case basis,” said Qualys, the research firm that found the bugs, in an advisory issued this week. “For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.”
The other bugs include CVE-2019-19520, which allows LPE via xlock, which refuses all new server connections until a user enters a password at the keyboard; CVE-2019-19522, which allows LPE via the aforementioned authentication mechanisms S/Key and YubiKey; and CVE-2019-19519, which allows LPE via su.
The first bug exists because, “/usr/X11R6/bin/xlock is installed by default and is set-group-ID ‘auth,’ not set-user-ID, which leaves an incomplete check,” Qualys explained. “A local attacker can exploit this vulnerability and dlopen() their own driver to obtain the privileges of the group ‘auth.'”
Armed with the privileges of the group “auth”, a local attacker can then use the second LPE bug to obtain full root privileges, if the S/Key or YubiKey authentication type is enabled.
“[That’s because login_skey and login_yubikey do not verify that the files in /etc/skey and /var/db/yubikey belong to the correct user, and these directories are both writable by the group ‘auth,'” Qualys said.
To exploit the issue, a local attacker with “auth” privileges can add an S/Key entry (a file in /etc/skey) or a YubiKey entry (two files in /var/db/yubikey) for the user “root.”
The last bug allows a local attacker to exploit a problem in su. “Su” stands for “substitute user,” and is used by a computer user to execute commands with the privileges of another user account. When executed it invokes a shell without changing the current working directory or the user environment.
In this case, a flaw in su’s -L option (“Loop until a correct username and password combination is entered”) allows an attacker to log in as themselves but with another user’s login class.
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.