In openbsd detected and corrected four serious vulnerabilities. Three of them allow you to increase privileges in the system, and another helps to bypass authentication.
Qualys Research Labs discovered the problems, which they hastened to notify developers last week. Those, in turn, prepared the patches: fixed Openbsd 6.5 and Openbsd 6.6 were released late last week, less than 40 hours after receiving a vulnerability report.
The most dangerous of the four problems was CVE-2019-19521, which allows to bypass authentication. The root of the problem is how OpenBSD parses the username provided by the user when logging in via smtpd, ldapd, radiusd.
So, a remote attacker could gain access to vulnerable services by simply entering a username in the form of “-schallenge” or “-schallenge: passwd”. The attack is triggered due to the use of the “-” symbol in front of the username, this tricks OpenBSD and the system interprets this not as a username, but as a command line option and considers it a request to the S / Key handler. And since S / Key is only supported nominally, this leads to automatic successful authentication.
Researchers write that sshd and su are not affected by the security mechanisms in place, but sshd can be used to determine if this version of OpenBSD is vulnerable to CVE-2019-19521.
Three other vulnerabilities (CVE-2019-19520, CVE-2019-19522, and CVE-2019-19519) are local privilege escalation issues. They allow the local user to increase their rights to the “auth” group and root access.
Since the patches are ready, Qualys Research Labs specialists not only published a detailed description of the problems, but also posted PoC exploits for each of the vulnerabilities.