The remote OpenBSD host is version 6.6 and missing security patches. It is, therefore, affected by multiple vulnerabilities:
- In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c. (CVE-2019-19519)
- xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
(CVE-2019-19520)
- libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c). (CVE-2019-19521)
- OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root’s file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root. (CVE-2019-19522)
Binary data openbsd_auth_bypass.nbin