One of the internet’s most popular free operating systems allowed attackers to bypass its authentication controls, effectively leaving the keys in the back door, according to an advisory released this week. The developers of the OpenBSD system have already patched the vulnerability.
OpenBSD allowed people access to its smtpd, ldapd, and radiusd programs – which send mail, allow access to user directories, and allow remote access to the computer system. All an attacker needed to do was enter a specific word prefixed by a hyphen as a username.
Qualys Research Labs found four bugs in BSD Authentication, which is the code that OpenBSD uses to authenticate users. Three of them were local privilege escalation bugs, while the other, CVE-2019-19521, bypassed the authentication system altogether. According to its security advisory, BSD Authentication supports three authentication styles: password, a one-time password mechanism called S/Key, and Yubico’s YubiKey hardware token.
The authentication bypass vulnerability automatically waves through anyone accessing via the password option with the username -schallenge, because the hyphen forces the operating system to interpret the word as a command line option for the program performing the authentication. The -schallenge option automatically grants the user access.
Vulnerability CVE-2019-19520 permits a local privilege escalation via ‘xlock’. This allows an attacker to gain access to the ‘auth’ user group, which sets them up to use the second privilege escalation weakness, CVE-2019-19522, which provides root access via the S/Key and YubiKey authentication methods. The code for these authentication types does not verify that the files they use belong to the correct user, and an attacker with ‘auth’ access could write their own files to the S/Key and YubiKey authentication directories. Daisychaining these two vulnerabilities together gets ‘root’ access.
Finally, CVE-2019-19519 escalates an attacker’s privilege via ‘su’, which is a utility allowing one user to execute commands with the privileges of another.
Created in 1996, OpenBSD is a fork of the NetBSD operating system. Its guiding entity, the OpenBSD Foundation, prides itself on the operating system’s security. It is the underlying engine powering a range of network appliances including routers and wireless access points. Its developers also created OpenSSH, which first appeared in OpenBSD. Any security holes in the product could unlock devices that rely on it.
OpenBSD and associated programs may focus on security, but it doesn’t mean that some bugs don’t make it through. Every system has bugs. What matters is how the developers react to them. OpenBSD’s developers moved quickly to fix these latest bugs, confirming them and producing patches for OpenBSD 6.5 and 6.6 in under 40 hours, according to Qualys.
What to do
Users should visit the errata pages for OpenBSD 6.5 and 6.6 and follow the instructions.
Steve
“According to its security advisory, BSD Authentication supports four authentication styles: password, a one-time password mechanism called S/Key, and Yubico’s YubiKey hardware token.”
1… 2… 3… what’s #4?
Paul Ducklin
Fixed, thanks (changed ‘four’ to ‘three’, as listed).