OpenBSD has fixed four vulnerabilities, including privilege escalation weaknesses and a removable identity bypass.
OpenBSD is one Unix open source operating system which is based on Berkeley Software Distribution (BSD) and is built on safety. On Wednesday, Qualys Research Labs revealed the existence of four vulnerabilities in the operating system.
The vulnerabilities have been named CVE-2019-19522, CVE-2019-19521, CVE-2019-19520 and CVE-2019-19519.
The first error, CVE-2019-19522, is an identity bypass problem found in the OpenBSD authentication protocol. The operating system is based on BSD Authentication though one hacker specifies a specific username, authentication can be enabled automatically. The vulnerability is remotely exploitable via smtpd, ldapd and radiusd.
The second security error, CVE-2019-19520, is a privilege escalation problem caused by a failed xlock test. If an attacker has access to OpenBSD locally, it can gain the privileges of set-group-ID "auth" via xlock, which is installed by default.
CVE-2019-19522, the third error of OpenBSD, is another privilege escalation problem found in the "S / Key" and "YubiKey" modes.
If the S / Key or YubiKey authentication type is enabled (both are installed by default but are disabled), then a local attacker can exploit the rights of the "auth" group to gain full root users.
To gain "auth" privileges, hackers can first exploit CVE-2019-19520 as part of a chain attack.
The fourth and last vulnerability, CVE-2019-19519, was found in "su" mode. Local attackers can take advantage of the suite's "-L" option - a software loop that continues until a proper username and password combination is entered. Password - to connect to itself, but with a different login class.
OpenBSD developers recognized the issues and managed to develop and publish security updates in less than 40 hours.
The patches are available to download. Users of OpenBSD 6.5 and OpenBSD 6.6 should update their devices to remain protected.