It has come to our attention that there is a security risk that could affect some customers. It involves Authentication Byepass / Privilege Escalation on OpenBSD.
A remote authentication vulnerability has been found in OpenBSD. Due to an insufficient username validation in libc, a remote third party can exploit the login libc function. The vulnerability can easily be exploited by providing a username with the flag “-schallenge” or “-schallenge:passwd” to force a passwd-style authentication.
The authentication bypass vulnerability resides in the way OpenBSD’s authentication framework parses the username supplied by a user while logging in through smtpd, ldapd, radiusd, su, or sshd services. Using this flaw, a remote attacker can successfully access vulnerable services with any password just by entering the username as “-schallenge” or “-schallenge: passwd,” and it works because a hyphen (-) before username tricks OpenBSD into interpreting the value as a command-line option and not as a username.
The other bugs include CVE-2019-19520, which allows LPE via xlock refusing all new server connections until a user enters a password in the keyboard; CVE-2019-19522, which allows LPE via the authentication mechanisms S/Key and YubiKey; and CVE-2019-19519, which allows LPE via su.
If any customers are using any of these services, we advise that you patch the affect machines ASAP.
This risk could be exploited in below ways.
- Attacker can login with any password by entering the username as “-schallenge” or “-schallenge: passwd”.
- Allow attackers to escalate privileges to ‘auth’ group.
- Attacker with ‘auth’ group permission can gain full privileges of the root user.
- Attacker can achieve any user’s login class, often excluding root, by exploiting su’s -L option.
How do I Remediate?
To remediate this vulnerability, apply the latest patchesfrom the below links:
How Can Ward Help?
If you would like additional information or would like support in assessing and protecting your environment, please contact us.